🕵️Post-authentication session theft (AiTM)
Rather than stealing a password, this technique intercepts the session right after the victim validates their two-factor code — the attacker positions themselves as an invisible intermediary between the victim and the real service. The result: two-factor authentication did happen, but it accomplished nothing. In October 2025 alone, Microsoft blocked more than 13 million malicious emails linked to a single one of these kits ("Tycoon 2FA"), used against Microsoft 365 accounts worldwide.
Microsoft Defender for Office 365, October 2025☎️Telephone-oriented attack delivery (TOAD) phishing
An email with no link or attachment: just a number to call back about a suspicious invoice or a subscription to confirm. With no URL to scan or file to analyze, classic automated filters catch nothing — the scam plays out entirely on the phone, where a fake advisor walks the victim through installing remote-access software or handing over credentials. Research firm Trustwave measured a 140% rise in these campaigns between July and September 2024, with Microsoft, Norton, PayPal and DocuSign among the most impersonated brands.
Trustwave, 2024-2025The common thread: bypassing automation, not attention
Neither technique exploits a technical flaw in the classic sense — they exploit a structural limit of automated detection tools, by removing the very element those tools know how to analyze (a link, an attachment). What's left is a human interaction built to look legitimate: a login page identical to the real one, or a reassuring voice on the phone. That's exactly the kind of pattern a multi-channel protection needs to learn to recognize rather than scan.
Frequently asked questions
Does two-factor authentication still protect against phishing?
It's still useful against simple password theft, but not against an "adversary-in-the-middle" attack: the attacker intercepts the session right after the victim validates their code, so two-factor authentication has already happened — uselessly.
What is telephone-oriented attack delivery (TOAD) phishing?
An email with no link or attachment, just a phone number to call back for a credible reason (an invoice, a subscription). Once on the phone, a fake advisor walks the victim through installing software or handing over credentials.
Why do these techniques slip past automated filters?
Because they often contain neither a suspicious link nor a malicious attachment to scan — the scam plays out in human interaction, on the phone or on a page that perfectly mimics the real one.