When a Phishing Link Beats Your MFA: Understanding Replay Attacks
Clicking a modern phishing link can hand attackers more than your password — adversary-in-the-middle (AiTM) kits proxy the real login page, capture the session cookie issued after you pass MFA, and replay it to take over the account. Standard MFA (SMS, app codes, push) does not stop this. Defences that work: phishing-resistant MFA (FIDO2/passkeys), time-of-click link scanning on email, short session lifetimes with conditional access, and staff awareness.
On this page
Most people think a phishing link leads to a fake login page that steals a password. That was true five years ago. Today, the more dangerous variant doesn't need your password to be enough — it steals your session and replays it, walking straight past multi-factor authentication.
Phishing remains the dominant threat in our region. HKCERT recorded 15,877 security incidents in Hong Kong in 2025 — a record high — with phishing accounting for 57% of all reports. And the attacks arrive through more channels than email: social media, instant messaging and SMS are now routine delivery routes.
What is a replay attack?
A replay attack is simple in principle: an attacker captures a piece of valid authentication data — a token, a cookie, a signed request — and re-sends it later to impersonate you. The system sees credentials it already trusts, so it lets the attacker in. No password cracking required.
The most common form today is session cookie replay. When you log in to a cloud service and pass MFA, the service gives your browser a session cookie — proof that you already authenticated. Whoever holds that cookie is you, until the session expires. Steal the cookie, replay it from another machine, and the attacker inherits a fully authenticated session — MFA already satisfied.
How the phishing link and the replay attack combine
This is where modern phishing kits come in. The technique is called adversary-in-the-middle (AiTM) phishing, and Microsoft has tracked campaigns using it against more than 10,000 organisations:
- The link. You receive a convincing email — a voicemail notice, a shared document, an invoice. The link leads to a proxy site that looks identical to your real login page, because it is your real login page, relayed live through the attacker's server.
- The login. You enter your password. The proxy forwards it to the real service. The real service sends back an MFA challenge, which the proxy relays to you. You approve it — everything looks normal.
- The theft. The real service, satisfied, issues a session cookie. It passes through the attacker's proxy on the way to your browser — and the attacker keeps a copy.
- The replay. The attacker loads the stolen cookie into their own browser and is signed in as you. From there: mailbox access, inbox rules to hide their tracks, and often business email compromise — sitting in payment threads waiting to redirect an invoice.
Notice what didn't help: your password was strong, MFA was on, and you approved a legitimate-looking prompt. The attack works because the proof of authentication — the cookie — was captured and replayed.
What actually defends against this
No single control stops AiTM phishing. A layered approach does:
- Phishing-resistant MFA. FIDO2 security keys and passkeys bind authentication to the genuine website's domain, so a proxy site cannot complete the login. This is the strongest single upgrade available.
- Stop the click. Email security with time-of-click URL scanning rewrites links and checks the destination when it is opened, not just when the message arrives — catching pages that turn malicious after delivery.
- Limit what a stolen session is worth. Shorter session lifetimes, conditional access policies that re-check device and location, and the ability to revoke sessions quickly all shrink the attacker's window.
- Watch for the replay. A session that passes MFA in Hong Kong and reappears minutes later from another continent is a detectable signal. Monitoring for impossible travel and anomalous sign-ins catches the replay even when the phish succeeded.
- Train for the new pattern. Staff should know that "the page looked real and MFA worked" no longer means a login was safe — and that unexpected MFA prompts or login notifications deserve a report, not a shrug.
Where to start
Most organisations we meet in Hong Kong, Macau and Asia-Pacific have MFA enabled and assume the job is done. The questions that matter now: can your email security check links at time of click, would a stolen session be noticed, and could you revoke it fast?
A quick way to see where you stand is our email security self-assessment — five minutes, no sign-up. Or talk to us about reviewing your email and identity protection.
Frequently asked questions
Does MFA protect against phishing links?
Standard MFA (SMS codes, authenticator apps, push approval) helps against password theft but not against adversary-in-the-middle phishing, which steals the session cookie issued after MFA succeeds. Phishing-resistant methods such as FIDO2 security keys or passkeys do stop it, because they are bound to the genuine website's domain.
What is the difference between a replay attack and a phishing attack?
Phishing tricks a person into giving something away; a replay attack re-uses captured authentication data, such as a session cookie or token, to impersonate them. Modern attacks chain the two — the phishing link captures the session, and the replay uses it.
How do I know if a session cookie has been stolen?
Warning signs include sign-ins from unfamiliar locations or devices shortly after a legitimate login, unexpected inbox rules, and activity the user does not recognise. Monitoring for impossible travel and anomalous sign-in patterns is the practical way to detect replayed sessions.
What should we do first if we suspect an account is compromised?
Revoke all active sessions for the account, reset the password, review mailbox rules and recent sent items, and check sign-in logs for the source of the intrusion before re-enabling access.