An active AitM phishing campaign has been targeting TikTok for Business accounts since at least October 2025, using real-time session token interception to bypass MFA and enable account takeover. Compromised advertising accounts expose organizations to downstream malvertising and infostealer distribution risk. Immediate actions include auditing and revoking active sessions for accounts with advertising spend authority, enforcing FIDO2/WebAuthn authentication where supported, and monitoring for session anomalies such as rapid ASN or geographic shifts following authentication events.