AiTM & Reverse Proxy Protection
Detecting sophisticated attacks that intercept your session tokens to bypass Multi-Factor Authentication (MFA).
Visual Button Detection
We detect Microsoft-style login buttons (specific blue color #0067b8 with white text) on non-Microsoft domains, a common indicator of AiTM phishing pages.
Domain Verification
We verify that the page is not on a legitimate Microsoft domain before triggering alerts, preventing false positives.
Pattern Matching
We look for specific text patterns like "sign" and "next" in button text, combined with Microsoft-style visual design, to identify lookalike pages.
What is an AiTM Attack?
Adversary-in-the-Middle (AiTM) is a technique where an attacker sits between you and the real website. When you enter your password and 2FA code, the attacker forwards them to the real site, logs you in, and then steals the Session Cookie that proves you are logged in.
Tozetta Defense Strategy
Tozetta detects AiTM phishing pages by analyzing visual elements that attackers use to mimic Microsoft login pages:
- Color Pattern DetectionWe detect the exact Microsoft blue button color (#0067b8) with white text, which is commonly used in AiTM phishing pages to trick users.
- Text Pattern AnalysisWe look for specific button text patterns like "sign" and "next" that are commonly found in Microsoft login flows.
- Domain Whitelist CheckWe verify that the page is not on a legitimate Microsoft domain (microsoft.com, microsoftonline.com, etc.) before triggering alerts.