Once inside, attackers can add new authentication methods to bypass existing ones, often with the goal of building a rule to divert certain emails so that the user or mailbox owner doesn’t see it being sent.

Preventing AiTM attacks requires a combination of techniques

To prevent AiTM attacks, Microsoft recommends using default security settings as a core policy set to improve your identity security posture. For more granular control, you’ll want to enable conditional access policies; implementing risk-based access policies is particularly useful.

“Conditional access policies evaluate login requests using additional identity-based signals such as user or group membership, IP location information, and device status, among others, and are applied to suspicious logins,” according to Microsoft.