Website‑over‑Website: ¿Window or Illusion?

Ana opens her email on a Monday.

A year-end benefits notice looks legitimate, with secure links and familiar branding.

When she clicks, the login portal looks just like usual; there’s even a pop-up asking to approve MFA.

Without suspecting, she taps “Approve.”

On the other side, an APT group — patient, methodical — celebrates: they didn’t break your encryption; they infiltrated your routine.

Their trick is called website-over-website: an HTML/CSS overlay that mimics the authentication window and integrates with scripts or add-ins to capture your second factor while a proxy forwards everything to the real service.

This way, the session is valid… but on the attacker’s device.

Adversary-in-the-Middle (AiTM) campaigns have evolved to bypass MFA by capturing session cookies and tokens when users log in to portals that look identical to Microsoft 365 or Okta.

The flow appears normal, the browser lock icon is “green,” and a “trusted” pop-up asks you to confirm.

Result: full access without asking for MFA again.

In APT-backed operations, this initial access is rarely the end.

With that session, attackers move quietly: reading emails, changing rules, BEC (business email compromise), and deploying backdoors to persist for weeks.

Public kits and frameworks (like Evilginx) make attack logistics cheaper and enable a dynamic overlay almost indistinguishable from the original portal.

Why is this dangerous for anyone—even careful users?

1. Perfect imitation: The overlay replicates the design, scripts, and behavior of the real site.

2. If you give up your MFA, they’re in: The adversary gets a direct session; they don’t need your password again.

3. Combined with MFA fatigue: They bombard you with requests until you approve out of exhaustion.

Cyber defense teams warn: identity is the new battlefield.

Attackers don’t break firewalls—they “log in,” exploiting trust and recovery flows.

The answer? Phishing-resistant MFA (FIDO/WebAuthn), token protection, and continuous identity anomaly detection.

How to lock down your defenses

• Question the context: Did you initiate the access? If not, don’t approve.

• Use physical FIDO2/WebAuthn keys for critical accounts; SMS and push are far more vulnerable to relay and “fatigue” attacks.

• Enable session protections and token policies (e.g., in Microsoft Entra).

• Verify the URL and domain for every MFA or consent prompt; look-alike sites are part of the APT playbook.

Hashtags: #CyberSecurity #PhishingProtection #IdentitySecurity #MFA #ZeroTrust #AiTM #ThreatIntelligence

Fuentes: Microsoft Community Hub — Defeating Adversary‑in‑the‑Middle phishing attacks (Microsoft Entra)https://techcommunity.microsoft.com/blog/microsoft-entra-blog/defeating-adversary-in-the-middle-phishing-attacks/1751777 | Sophos X‑Ops — Stealing user credentials with Evilginxhttps://www.sophos.com/en-us/blog/stealing-user-credentials-with-evilginx | Sekoia.io — Global analysis of Adversary-in-the-Middle phishing threatshttps://blog.sekoia.io/global-analysis-of-adversary-in-the-middle-phishing-threats/ | SecurityWeek — Five Cybersecurity Predictions for 2026: Identity, AI, and the Collapse of Perimeter Thinkinghttps://www.securityweek.com/five-cybersecurity-predictions-for-2026-identity-ai-and-the-collapse-of-perimeter-thinking/ | CISA (guía de phishing) — Phishing Guidance: Stopping the Attack Cycle at Phase Onehttps://www.cisa.gov/sites/default/files/2025-03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf