Direct answer
What is AiTM phishing? AiTM phishing is a reverse-proxy technique that relays a real login flow and can capture session material after authentication.
How it differs from basic phishing
Basic phishing often captures a submitted password. AiTM workflows sit between victim and real service, relaying authentication and stealing session material. This makes liveness, redirect behaviour, headers, cookie handling and proxy fingerprints important.
Observable signals
Useful defensive signals include suspicious domains, TLS/certificate timing, reverse-proxy fingerprints, websocket endpoints, JS injection markers, anti-bot behaviour, login-page visual similarity, and repeated infrastructure.
Safe response
PhishNet treats these as high-risk review or confirmed signals only when backed by evidence, source quality, liveness, trusted feeds or analyst confirmation.
How PhishNet uses this
Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.
Selected sources and research
These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.
Common questions
What is AiTM phishing?
AiTM phishing is a reverse-proxy technique that relays a real login flow and can capture session material after authentication.
What should defenders collect?
Screenshots, redirect chains, DNS/HTTP liveness, certificate timing, page hashes, headers, source provenance and identity-platform evidence.