Modern adversary-in-the-middle phishing attacks proxy the real Microsoft 365 login experience, making traditional detection techniques mostly ineffective. M365 AitM Block is a lightweight browser extension for Chrome and Edge that detects these attacks at the point of interaction. This blog explains our (technical) journey getting to this browser extension and what problem it solves.
Over the past years, we’ve seen adversary-in-the-middle (AitM) phishing become the dominant technique for targeting Microsoft 365 accounts. Instead of cloning login pages, these kits proxy the real Microsoft authentication flow, making many traditional detection methods, URL reputation, static fingerprints, and HTML analysis, largely ineffective.
This was exactly why we introduced EAST (our anti-phishing tool) last year to all our customers. EAST works by injecting a highly visible background and warning message through CSS when the authentication flow is accessed from an unexpected (non-Microsoft) HTTP Referer. In practice, this proved very effective against a wide range of phishing kits by making it immediately obvious to users that they should not enter their credentials.
However, as AitM phishing is maturing, we started to see its limitations. Modern kits increasingly proxy not just the authentication flow, but also the surrounding assets and styles, neutralizing this visual signal. At the same time, real-world usage showed that even clear, passive warnings can still be ignored by users under pressure to log in.
Together, these developments made it clear that while EAST remains valuable, it could no longer be the only line of defense against preventing modern AitM attacks.
As our current CSS detection method is limited by a small set of Microsoft Azure branding options, we had to use something else. We quickly realised a browser extension was our best bet. If modern AitM attacks operate entirely inside the browser, then that should also be the place to stop them.
We tested some third party browser extensions claiming to detect AitM, but initial tests showed that the phishing kits we delt with that day, were happely bypassing them. We were surprised that, despite the widespread abuse of these kits, we could not find a robust, freely available browser extension capable of reliably detecting malicious Microsoft 365 login pages at the moment of interaction.
That raised a simple but important question: is it really that hard to detect it using a browser extension?
When we analyzed the most recent and modern kits, we found that most go to great lengths to resist browser inspection. Source code, styles, and assets are heavily obfuscated, and some kits actively interfere with debugging or analysis. No wonder that all browser extensions we tested struggled with detection!
But that got us thinking. No matter how heavily an AitM phishing kit disguises its source code or runtime behavior, it still has to guide the user through a familiar Microsoft login flow.
So, instead of trying to peel back layers of obfuscation, we focused on what attackers cannot freely change without breaking the login experience itself. Even the most sophisticated AitM kits could hide their implementation, but not the core interaction they depended on, as this needs to look exactly like Microsoft’s native login flow. Otherwise the victims would be scared away. That realization turned out to be enough.
TLDR; As we don’t want to aid the phishing kit developers, we intentionally redacted our detailed detection logic in this blog. For readers interested in the concrete implementation details, we invite you to review the extension’s source code directly. 😉
At a high level, the detection mechanism behind M365 AitM Block is intentionally simple. It observes a limited set of specific DOM elements related to how users interact with a Microsoft-style login flow, combined with some unique layout properties we identified during our extensive tests.
Our prototype was are able to detect 13 of the 15 active, real pages we tested, and did not generate false positives. In later tests, we added a heuristics layer that applies tolerances as some phishing kits try to modify even the most core elements of the login flow we use in our detection. This final addition got us to 100% detection rate at time of writing!
And the nice thing is that our detection logic does not rely on any remote callbacks, just a simple yet effective detection mechanism running offline in the end-user’s browser.
One method of implementation we are able to share in this blog: during our tests, we identified some interesting tricks of attackers trying to bypass email gateways and other detection systems utilizing:
That’s why our extension continuously scans and re-evaluates the actual page at short intervals, rather than relying on a single page-load snapshot. This way, we are able to bypass this evasive behaviour observed in modern phishing kits.
When a Microsoft login flow is detected, but the domain name in the address bar doesn’t match Microsoft-owned domains, the user is presented with a clear, graphical warning as shown in the demo video.
Importantly, this intervention is interruptive but reversible: users can dismiss the warning in edge cases, ensuring that legitimate workflows are not permanently blocked. There is no silent blocking or background decision-making without user awareness.
Make sure you’re using the Chrome browser (or Edge) on your desktop or laptop and go to the AitM Block browser extension in the Chrome Web Store. On the extension page, click the blue Add to Chrome (on Edge: click Get) button. A pop-up will appear asking for confirmation.
Click Add Extension to complete the installation. Once installed, you’ll see the extension icon appear in the top-right corner of your browser, next to the address bar. If it is still hidden, click the puzzle piece icon next to the address bar and pin the extension so it is always visible.
By clicking on the extension icon, you can enable or disable AitM Block globally.
We encourage defenders and researchers to test this approach in practice. If you come across a live Microsoft 365 AitM phishing setup, feel free to validate the behavior of the extension against it. We built M365 AitM Block to operate under real-world conditions, including modern evasion techniques, and we’re genuinely interested in feedback, edge cases, and samples that challenge its assumptions.
We are a European cybersecurity company focused on 24/7 threat monitoring, incident response, and cyber insurance. Our research team performs proactive scans and threat operations across the region to defend our customers and their supply chains.
This research was conducted by the Eye Security Threat Research Team, dedicated to detecting and disrupting emerging attack techniques across Europe. Read more about our recent work.
Learn more about Eye Security at https://eye.security/ and follow us on LinkedIn to help us spread the word. You are also invited to read our corporate blog for customers and partners about AitM Block including a demo video.
