Your Two-Factor Code Won't Save You from This Phishing Attack

It's a Thursday afternoon. You get an email that looks exactly like it came from your Google account team — logo, sender address, formatting, all of it clean. There's a security alert: unusual activity, action required. You click the link. The login page looks right. You enter your password. Your authenticator app gives you a 6-digit code. You type it in. The page loads. Everything seems fine.

You just handed a scammer full access to your account.

This isn't a story about someone being careless. They used two-factor authentication. They did everything right. The problem is a category of attack called adversary-in-the-middle (AITM) phishing — and in June 2026, Google flagged it in their official fraud and scams advisory{:target="_blank"} as one of the fastest-growing threats in their network. The method beats 2FA by design.

Here's what's actually happening.

How this attack actually works

Regular phishing — the kind you've been warned about for twenty years — works like this: fake page, you type your password, they have it. Then you turned on 2FA and felt safer. That was the right call. It stopped most attacks.

AITM phishing was built specifically to go around that.

Here's the sequence:

1. You get a convincing email with a link and click it.
2. The link connects you to a server the scammer controls — but that server immediately relays your request to the REAL website in real time.
3. You see the actual site because you're technically talking to it, through them. You log in normally. The 2FA prompt comes up. You complete it.
4. The scammer's proxy captures your active session cookie — the token the real site uses to confirm you're logged in — before passing the page back to you.
5. You land on a normal-looking page. Nothing seems wrong. The scammer now has your session and logs in as you from a different device. No password required. No 2FA required. The cookie says you're already authenticated.

Your 6-digit code did exactly what it was supposed to do. The scammer just let you use it and grabbed what came after.

The phishing kits that power these attacks get rented out to criminals as a service. Tycoon 2FA was one of the larger operations in this space until Barracuda worked to disrupt it in April 2026. Google's advisory is blunt about what happened next: phishing volumes stayed high. The technique didn't die with one kit.

Why this one is harder to spot than standard phishing

Classic phishing gives you tells. A URL that doesn't quite match. A login page that looks slightly off. Copy-paste errors. The vague sense that something is wrong.

AITM attacks are harder because you're often interacting with the real infrastructure, just routed through an extra server. The login flow actually works. The 2FA prompt is real. What's fake is the URL in your browser — and most people don't check the URL when the email already looks trustworthy, especially on mobile where it's often not visible at all.

Google's advisory also flagged a few techniques that are being layered on top to make these attacks even harder to catch:

Quishing. The malicious link comes inside a QR code embedded in an email or document. You scan it on your phone. Now you're on mobile, where the URL bar is small, easy to ignore, and sometimes hidden entirely.

Cloud-hosted lures. Scammers are hosting phishing pages on legitimate services — Google Docs, OneDrive, SharePoint. Security filters that check domains let these through because the domain is real. The malicious content is just sitting on it.

Calendar phishing. Fake meeting invites with embedded phishing links bypass email filters because they arrive through the calendar API, not email. (We've got a full breakdown of how Google Calendar phishing works if that one's on your radar.)

The common thread: scammers are using your trust in real infrastructure as a weapon.

The red flags hiding in plain sight

Even with a well-crafted attack, there are signals worth knowing:

1. The URL in your browser doesn't match the real site. An AITM proxy has to use its own domain. If you're "logging into Google" and the URL isn't exactly accounts.google.com — not a variation, not something close — stop. This is the clearest signal and the one most frequently missed.

2. The email arrived without context. You didn't request a security review. You weren't trying to reset a password. Unsolicited security alerts are a scammer's preferred delivery mechanism. Real account security emails from Google are almost always in response to something you did.

3. The sender looks right but isn't. Display names can say "Google Security Team" while the actual email address is something like security@g00gle-alerts.com. On desktop: hover over the sender to check the full address. On mobile: tap the sender's name to expand it. A legitimate Google email will end in @google.com or @accounts.google.com. Nothing else.

4. There's urgency attached. "Your account will be suspended in 24 hours." "Unusual sign-in detected — act now." The pressure is engineered to get you moving before you think. Real security systems don't work like that.

5. You're asked to log in to view a security alert. If an email about your account security requires you to authenticate to see the problem, that's the trap. Legitimate platforms tell you what happened in the email itself and link you to account settings — not a fresh login page.

6. Something feels slightly off about the page timing. Proxy servers add latency. Unusually slow or fast page loads aren't a reliable signal on their own, but combined with other flags, they're worth noting.

If this already happened to you

First: this wasn't carelessness on your part. AITM attacks are engineered to beat the security steps most people have in place. You did what you were told to do. The scammers built something specifically designed to defeat it.

What to do right now:

Change your password immediately. For the affected account and any account where you used the same password.

Revoke active sessions. On Google: go to myaccount.google.com → Security → Your devices. You'll see every location and device with an active session. Revoke anything that isn't you.

Check for account changes. Email forwarding rules are a common immediate payload — scammers add a rule that silently copies your emails to them. In Gmail: Settings → See all settings → Forwarding and POP/IMAP. Also check your recovery email address and phone number under Security settings.

Enable passkeys. More on this below, but do it before the next attempt.

Report it. File a report at reportfraud.ftc.gov{:target="_blank"}. If any financial accounts were involved, contact your bank immediately and consider a credit freeze. The FTC reported in June 2026{:target="_blank"} that Americans lost $3.5 billion to imposter scams in 2025 — your report contributes to enforcement cases.

What actually stops this

Two-factor authentication still stops most phishing. Don't ditch it. But for AITM specifically — where the attack works because you completed authentication correctly — these are the defenses that actually work:

Passkeys. This is the real fix. Passkeys use cryptographic keys tied to your specific device and the specific domain you're logging into. A proxy server at a different domain can't capture them because the authentication is device-bound and domain-verified. If Google, Apple, or your bank offers passkey setup, do it now. It's not optional anymore.

Hardware security keys. Physical FIDO2 keys (like YubiKey) work on the same principle — the key communicates with the specific origin domain, so a proxy using a different domain gets nothing useful. These are the gold standard for high-value accounts.

Device Bound Session Credentials (DBSC). Google noted in their June 2026 advisory that they've deployed DBSC technology to make active session cookies harder to steal after they're issued. This is a backend protection. If you're on Chrome with a Google account, some of this is already in place. Keep Chrome and your Google apps updated.

Type URLs directly. Don't click email links to log into important accounts. Type the address yourself or use a saved bookmark. A password manager also helps — it autofills credentials only on the correct domain and will refuse to fill anything on a proxy site.

If you want to understand how a similar attack flow works against Microsoft accounts specifically, that breakdown is here.

FAQ

Is AITM phishing only targeting Google accounts?

No. Any account using standard username/password plus 2FA can be targeted. Google published the advisory because the technique appears frequently in their threat data, but the same attack works against banking logins, Microsoft accounts, social platforms, and most major services that use session cookies.

If I have 2FA enabled, how does someone access my account without the code?

They don't need the code. They let you enter it, then capture the session cookie the site issues after you successfully authenticate. That cookie is what keeps you logged in — and once they have it, they can use it from anywhere without ever needing your password or 2FA code again.

What's the most secure way to log into accounts?

Type the URL directly rather than clicking links in email, or use a bookmarked URL. Enroll in passkeys for any account that supports them — passkeys are cryptographically tied to the actual domain and can't be relayed by a proxy. A password manager also protects you by refusing to autofill credentials on lookalike or proxy sites.

How do I know if my account was already compromised?

Check your active sessions and recent account activity. On Google: myaccount.google.com → Security. Look for sign-ins from locations or devices you don't recognize. Also check your email forwarding rules (Gmail: Settings → See all settings → Forwarding). An unexpected forwarding address is a common sign of unauthorized access. If anything looks off, change your password immediately and revoke all active sessions.

Does this mean email security alerts are always scams?

Not always — but treat every unsolicited security alert as suspicious until proven otherwise. Don't click the link in the email. Go directly to your account by typing the address yourself or opening the app, and check whether there's an actual alert there. If there is, handle it from within your real account. If there isn't, the email was bait. Report it and delete it.

Scammers are specifically designing attacks for people who did the right thing. Two-factor authentication was the right call. The next right call is passkeys.

Sources: Google Trust & Safety — June 2026 Fraud and Scams Advisory{:target="_blank"} · FTC — People Reported Losing $3.5 Billion to Imposter Scams in 2025{:target="_blank"}