The security industry has spent years building better authentication. Longer passwords, second factors, hardware tokens. And attackers responded by moving past authentication entirely. Adversary-in-the-middle (AiTM) phishing does not steal credentials and replay them. It sits between the user and the legitimate service, watches a real authentication succeed in real time, and walks away with the session token that proves it happened. The login was genuine. The MFA prompt was real. The attacker just observed — and copied the result. If you have read the analysis of how these attacks work, you understand the mechanism. This piece is about what comes after that understanding. Specifically: What ...