Okta Study Reveals Persistent Threat of AiTM Phishing Attacks Over 26 Months

Okta researcher Faelan presented a 26-month study (June 2023–July 2025) analyzing malicious adversary-in-the-middle (AiTM) phishing attacks by examining 3 billion phishing-resistant authentication events from Okta FastPass, a passwordless authenticator. The methodology involved identifying failed authentication attempts due to domain mismatches—a cryptographic rejection of phishing sites—then validating malicious origins through expert analysis, AI-assisted classification, and direct customer feedback, achieving a 20% response rate for March–July 2025 events. Findings revealed that 0.12% of organizations experienced at least one Evil Proxy AiTM user engagement monthly, with attacks leveraging commercial cloud providers (e.g., Akamai, Digital Ocean) and disposable domains, primarily targeting U.S.-based professional services firms via Microsoft Office 365. The study established a conservative lower-bound estimate, noting that traditional MFA fails against AiTM, while phishing-resistant authentication both blocks attacks and generates high-fidelity alerts for missed threats. Customer validation exposed security gaps, with five of seven validated Evil Proxy incidents undetected by organizations for up to 15 days, highlighting the need for improved detection and response integration. The research concluded that AiTM phishing is a persistent, scalable threat, with attackers outpacing defenders due to low adoption of phishing-resistant MFA (14% user-level adoption).