The FBI announced this week that it had dismantled W3LL, a phishing-as-a-service platform that allowed criminals to bypass multi-factor authentication and compromise Microsoft 365 accounts. The kit was used against more than 17,000 victims. It cost $500 to buy.
I want to sit with that for a moment. Five hundred dollars. The price of a business flight. The price of two months of a mid-tier SaaS subscription. For $500, an attacker with no particular technical skill could purchase a tool that defeated the MFA you spent months persuading your organisation to deploy.
The defenders said MFA would stop phishing. The attackers spent a few years figuring out how to defeat it. Now the tool to do that is $500 and ships with customer support and update notifications. The defenders are still saying MFA stops phishing.
What AiTM Actually Does
Adversary-in-the-Middle phishing is not a sophisticated attack technique anymore. The W3LL kit — and the dozen others like it — deploys a reverse proxy between the victim and the real Microsoft login page. The victim sees a convincing login page, enters their credentials, and completes their MFA challenge. The authenticator app beeps. The TOTP code is accepted. The user thinks they’ve logged in successfully.
What actually happened: the proxy relayed every keystroke and every MFA response to the real Microsoft servers in real time, received the authenticated session token, and handed it to the attacker. The attacker now has a valid authenticated session. Your TOTP code did exactly what it was supposed to do — it just did it for an attacker.
This is not a new attack. It is not a cutting-edge research technique. Microsoft Defender for Office 365 has been detecting AiTM phishing infrastructure since at least 2022. The technique has been documented extensively. We’ve known that TOTP doesn’t stop it.
The Talking Points Haven’t Caught Up
Here is what I hear at every security conference, in every phishing training, in every board presentation about identity security: “We’ve deployed MFA, so we’re protected from phishing.” Sometimes it’s more nuanced — “MFA significantly reduces the risk of phishing attacks.” But the implied claim is the same: MFA means phishing is solved.
It isn’t solved. TOTP-based MFA means that a basic, unsophisticated phishing attack that just steals a password will fail. That’s a genuinely useful control. It eliminates the low end of the attacker capability spectrum. But attackers adapted. The W3LL kit, Evilginx2, Modlishka, Muraena — these are not zero-day tools. They’re commodity tools used by financially motivated criminals to defeat controls that the industry is still calling a gold standard.
When we tell users “we’ve deployed MFA, you’re protected from phishing,” and then they fall for an AiTM phishing page, we’ve failed them twice: once by deploying a control we oversold, and once by making them feel safe with something that wasn’t.
What Actually Stops AiTM
FIDO2/WebAuthn passkeys and hardware security keys are phishing-resistant in a technical, not just marketing, sense. The authentication ceremony is cryptographically bound to the origin — the specific domain of the login page. An AiTM proxy sitting on a different domain cannot relay the FIDO2 handshake successfully. The key simply won’t respond, and the login fails on the attacker’s proxy.
This isn’t theoretical. FIDO2 was specifically designed to defeat this class of attack. It works. Large technology companies that have deployed hardware security keys as mandatory MFA for employees have driven their phishing-related account compromise rates to effectively zero.
So why isn’t everyone deploying FIDO2 right now?
The answers I get are: users find hardware keys inconvenient; not all our applications support WebAuthn; our legacy VPN doesn’t work with passkeys; the rollout is complex. These are real constraints. They’re not arguments for continuing to deploy TOTP and calling it phishing-resistant.
The Honest Conversation
The honest conversation goes like this: TOTP MFA is significantly better than no MFA. It stops the majority of automated credential stuffing attacks. It raises the cost and complexity of compromise for unsophisticated attackers. Deploy it everywhere you can’t yet deploy FIDO2 — it’s still worth having.
But stop calling it phishing-resistant. Stop treating it as a solved problem. Start planning FIDO2 migration for your highest-risk populations — executives, finance, HR, privileged administrators — and treat the inability to deploy phishing-resistant MFA everywhere as an accepted risk, not an acceptable standard.
The W3LL takedown is good news. There will be a W3LL 2.0 within a year, operating from different infrastructure, for the same $500.
Our credential security posture needs to outpace that business model. Right now, it doesn’t.