Service · Anti-phishing AiTM · M365 + Google · FREE

Modern phishing bypasses MFA. The Interceptor doesn't.

AiTM attacks don't just steal credentials: they capture the session token after authentication, making MFA useless. Fortgale blocks the attack before the user interacts with the malicious proxy.

Activate the Interceptor — Free Anatomy of an AiTM →

91 %Attacks via phishing

5+ yearsIn production

0Compromised credentials

Fortgale · Interceptor

Active alert

⚠️

AiTM attack detected

This page uses a proxy to intercept your credentials and MFA token. Do not enter any data.

hxxps://m1cr0s0ft-login[.]verify-token[.]net/aitm/...

Compliance · email security

NIS2 ready

DORA

ISO 27001

GDPR

Compatibility

Microsoft 365

Google Workspace

Entra ID

FIDO2 / TOTP

Why it works against AiTM

It acts on the page, not on the email.

Classic anti-phishing solutions intervene before delivery. Fortgale operates where traditional filters fail: at the moment when the user is about to surrender credentials.

01 ·

Behavioural protection

Operates on the page behaviour at destination, not on the delivery channel. Effective even when the message bypasses SEG, sandbox and DNS filters.

02 ·

MFA-proof by design

Designed for AiTMs that bypass MFA: acts before the token is generated in a fraudulent context, making theft structurally impossible.

03 ·

Zero infrastructure changes

No changes to DNS, mail servers or M365 tenant. Guided onboarding in a few hours. Compatible with FIDO2, TOTP, hardware keys and all MFA providers.

Proof · real sectors

Four sectors where Fortgale is already operational.

Banking

AiTM campaigns
on financial M365 portals

Shipping

BEC + AiTM
against logistics operators

Manufacturing

Spear-phishing
across hybrid M365 supply chains

Critical infra

NIS2 operators
with auditable reporting

Anatomy of an AiTM attack

Five steps · the Interceptor blocks it before the first.

The AiTM proxy makes MFA useless. The only defence is to act on the destination page, before the user types.

01 · Email

Phishing email delivered

The phishing email bypasses SEG, sandbox and DNS filters. It contains a link to a seemingly legitimate AiTM proxy.

02 · Proxy

AiTM proxy activated

The user clicks. The transparent proxy (Evilginx, Modlishka, Muraena) relays traffic to the real M365 portal.

03 · Credentials

Credentials + MFA captured

The user enters credentials and the second factor. The proxy captures everything: password and MFA code.

04 · Token

Session token stolen

Microsoft issues the session token. The proxy intercepts and reuses it autonomously, bypassing MFA.

05 · Block

Fortgale Interceptor

The Interceptor detects the proxy and blocks the user before step 1. No data is ever transmitted.

What the service includes

Six pillars of AiTM protection.

Behavioural protection

Operates on the destination page behaviour, not on the delivery channel. Effective even when the message bypasses SEG, sandbox and DNS filters.

MFA-proof by design

Designed for AiTMs that bypass MFA: acts before the token is generated in a fraudulent context, making theft structurally impossible.

Zero infrastructure changes

No changes to DNS, mail servers or M365 tenant. Guided onboarding in a few hours, with no impact on user productivity.

M365 + Google Workspace coverage

Protection for both Microsoft 365 (Exchange Online, SharePoint, Teams) and Google Workspace (Gmail, Drive, Meet).

Real-time intelligence

Powered by the Fortgale Intelligence Feed: new AiTM infrastructure, emerging phishing kits, lookalike domains detected and blocked in real time.

Visibility & reporting

Centralised dashboard of intercepted attacks, users involved, target sectors. CISO reporting with MTTD/MTTR metrics and monthly trends.

Integrated defence

The Interceptor prevents. The other services complete the coverage.

Post-compromise

ITDR · Identity Protection

360° identity security from on-prem AD to Entra ID and Cloud. Detection & response on compromised credentials.

Discover ITDR →

Detection & Response

Managed Detection & Response

EDR/XDR governed by the European SOC. Triage in <15 min, containment ~11 min.

Discover MDR →

Intelligence

Intelligence Feed

34k+ IoCs per week · AiTM phishing domains, Evilginx/Modlishka kits, C2 infrastructure distributed via STIX/TAXII.

Discover the Feed →

FAQ

Everything to know before activating the Interceptor.

What is an AiTM phishing attack?

Adversary-in-The-Middle: a transparent proxy between user and legitimate site (M365). Captures credentials and MFA tokens, bypassing authentication. Dominant technique in advanced European campaigns. Frameworks: Evilginx, Modlishka, Muraena.

How does the Fortgale Interceptor work against AiTM?

Detects in real time the characteristic signals of AiTM proxy pages and displays a warning before credentials are entered. Analyses page and session behaviour, not the email channel.

Why is MFA not enough against AiTM?

MFA protects static credentials (username/password) but not the session token issued after authentication. The AiTM proxy receives the valid token — even after the second factor — and reuses it autonomously. The Interceptor acts earlier.

Does it also work with Google Workspace?

Yes. AiTM campaigns against Google are growing in manufacturing, logistics and professional services. Identical logic: a warning before credentials are entered.

How long does activation take?

Fast, non-invasive onboarding. No changes to infrastructure, mail servers, DNS, M365 tenant. Activation in a few hours. Team response within 24 working hours.

Start now — it's free

The next AiTM attack is already being prepared.

The Fortgale M365 Phishing Interceptor blocks AiTM phishing before credentials are entered — and before the session token is stolen. Free activation, no infrastructure changes, operational in a few hours.