Behavioural protection
Operates on the page behaviour at destination, not on the delivery channel. Effective even when the message bypasses SEG, sandbox and DNS filters.
AiTM attacks don't just steal credentials: they capture the session token after authentication, making MFA useless. Fortgale blocks the attack before the user interacts with the malicious proxy.
Classic anti-phishing solutions intervene before delivery. Fortgale operates where traditional filters fail: at the moment when the user is about to surrender credentials.
Operates on the page behaviour at destination, not on the delivery channel. Effective even when the message bypasses SEG, sandbox and DNS filters.
Designed for AiTMs that bypass MFA: acts before the token is generated in a fraudulent context, making theft structurally impossible.
No changes to DNS, mail servers or M365 tenant. Guided onboarding in a few hours. Compatible with FIDO2, TOTP, hardware keys and all MFA providers.
The AiTM proxy makes MFA useless. The only defence is to act on the destination page, before the user types.
The phishing email bypasses SEG, sandbox and DNS filters. It contains a link to a seemingly legitimate AiTM proxy.
The user clicks. The transparent proxy (Evilginx, Modlishka, Muraena) relays traffic to the real M365 portal.
The user enters credentials and the second factor. The proxy captures everything: password and MFA code.
Microsoft issues the session token. The proxy intercepts and reuses it autonomously, bypassing MFA.
The Interceptor detects the proxy and blocks the user before step 1. No data is ever transmitted.
Operates on the destination page behaviour, not on the delivery channel. Effective even when the message bypasses SEG, sandbox and DNS filters.
Designed for AiTMs that bypass MFA: acts before the token is generated in a fraudulent context, making theft structurally impossible.
No changes to DNS, mail servers or M365 tenant. Guided onboarding in a few hours, with no impact on user productivity.
Protection for both Microsoft 365 (Exchange Online, SharePoint, Teams) and Google Workspace (Gmail, Drive, Meet).
Powered by the Fortgale Intelligence Feed: new AiTM infrastructure, emerging phishing kits, lookalike domains detected and blocked in real time.
Centralised dashboard of intercepted attacks, users involved, target sectors. CISO reporting with MTTD/MTTR metrics and monthly trends.
The full programme: prevention with the Interceptor, post-compromise ITDR on AD and cloud, SOC monitoring. AiTM is one chapter, this is the book.
See the programme →EDR/XDR governed by the European SOC. Triage in <15 min, containment <30 min.
Discover MDR →34k+ IoCs per week · AiTM phishing domains, Evilginx/Modlishka kits, C2 infrastructure distributed via STIX/TAXII.
Discover the Feed →Adversary-in-The-Middle: a transparent proxy between user and legitimate site (M365). Captures credentials and MFA tokens, bypassing authentication. Dominant technique in advanced European campaigns. Frameworks: Evilginx, Modlishka, Muraena.
Detects in real time the characteristic signals of AiTM proxy pages and displays a warning before credentials are entered. Analyses page and session behaviour, not the email channel.
MFA protects static credentials (username/password) but not the session token issued after authentication. The AiTM proxy receives the valid token, even after the second factor, and reuses it autonomously. The Interceptor acts earlier.
Yes. AiTM campaigns against Google are growing in manufacturing, logistics and professional services. Identical logic: a warning before credentials are entered.
Fast, non-invasive onboarding. No changes to infrastructure, mail servers, DNS, M365 tenant. Activation in a few hours. Team response within 24 working hours.
We analyse the AITM phishing kits in circulation, reverse-proxy infrastructure, token hijack, reusable kits. the Supercar Phishing Kit and Phishing Kits Bypass MFA are just two examples of the research that fuels our M365 detections.

ABSTRACT The FBI recently issued an advisory on Kali365, a Phishing-as-a-Service platform that abuses legitimate Microsoft OAuth flows to bypass multi-factor authentication. Kali…
Read article →
Intelligence · Phishing Kit · Q1 2026 April 24, 2026Fortgale CTI14 min readRPT-26-0424 Observation of the quarter The 2026 phishing ecosystem has outpaced traditional defenses. M…
Read article →
In the high-stakes world of venture capital and corporate funding, where millions hang in the balance and sensitive financial data flows freely, a new breed of cyber threat is em…
Read article →
In February 2026, the Fortgale Incident Response team investigated a multi-stage intrusion attributed to Mora_001, a Russian-origin threat actor exploiting Fortinet vulnerabiliti…
Read article →
UPDATES: 27.11.2024: As mentioned by TrustWave, "Supercar Phishing Kit" has an high level of overlapping with the most recent update of "Rockstar 2FA Phishing-as-a-Service" 26.09…
Read article →
In the evolving landscape of cybersecurity threats, Fortgale is tracking PhishSurf Nebula, an advanced Cyber Espionage group active since 2021 and primarily targeting entities wi…
Read article →Analysis of 800 domains of the Kali365 PhaaS platform (OAuth Device Code Flow abuse): 85.8% hosted on Cloudflare Workers.
Read the analysis →The SOC rules come from direct analysis of real campaigns: 9 phishing kits profiled in the Q1 2026 CTI report.
Read the report →An AiTM attack against senior executives during an investment round was intercepted before compromise. No access was gained.
Read the case →Over 100 published analyses. Attributions corroborated by third parties such as Mandiant (Google), Amazon, SentinelOne and Huntress. European SOC, 24·7·365.
The Fortgale M365 Phishing Interceptor blocks AiTM phishing before credentials are entered, and before the session token is stolen. Free activation, no infrastructure changes, operational in a few hours.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.