Person typing on a laptop with a translucent padlock symbol hovering over the screen, representing a man-in-the-middle cyber attack.

Man-in-the-Middle Attack

In man-in-the-middle (MitM) attacks, a malicious actor intercepts communication between two parties without their knowledge or consent, which allows the attacker to eavesdrop on the conversation, altering or stealing information exchanged between the two parties.

4 January 2024 · 11 min read

What is a man-in-the-middle attack?

Imagine you’re chatting with a friend in a busy room, thinking your conversation is private. Suddenly, an unnoticed eavesdropper slips in between you two, overhearing your words and later making them public or even using them to extort you. In the online realm, this is similar to a man-in-the-middle attack, where cybercriminals covertly intercept your digital exchanges – from emails to messages – and either steal your information or manipulate it without your knowledge.

Although they may not sound intimidating at first, man-in-the-middle attacks – also called attacker-in-the-middle (AitM) – are a rising threat that puts an organization’s cyber resilience to the test. In a severe cyberattack on an Israeli startup, attackers cleverly intercepted a wire transfer between the company and an Asian vendor they were doing business with. By infiltrating the communication channels, the cybercriminals redirected the $1 million payment to a fraudulent account, successfully tricking both parties.

In the first quarter of 2023, there was a 35% increase in the volume of MitM attacks reaching inboxes compared to that same period in 2022. The rapid emergence of this threat underscores the importance of understanding how man-in-the-middle attacks work, the common MitM attacks, and how organizations can detect and protect themselves against this emerging threat.

A woman working on a laptop and a man using a smartphone, both unaware of the hooded figure in the middle symbolizing a hacker orchestrating a man-in-the-middle attack, intercepting their communication.

How does a man-in-the-middle attack work?

In typical online interactions, two parties connect in various ways. It could be a computer communicating with a web application, two email servers exchanging messages, or people messaging on platforms like WhatsApp, Zoom, or Facebook Messenger. However, hackers are lurking in the digital shadows, positioning themselves between the unsuspecting parties using techniques like ARP or DNS spoofing or compromising network devices to take control of the shared information.

Once in this covert position, they carefully hide their presence, making the communication seem undisturbed while controlling the data flow. They can also impersonate either party, making it appear as if both sides are communicating directly. This hidden presence allows them to intercept all data passing between the parties, which may include emails, photos, messages, or other data types, even if it’s encrypted.  

After achieving their goals, the attackers exit the compromised communication without leaving obvious traces. With the stolen data in hand, they can engage in malicious activities like financial fraud, blackmail, extortion, data breaches, phishing attacks, or other harmful actions that compromise the confidentiality and integrity of your private information.

Diagram depicting a 'Man in the Middle' cyber attack, where the connection between a user and a web application is intercepted by an unauthorized figure, redirecting information through the attacker.

On-path attack vs man-in-the-middle

In cyber security, the terms “man-in-the-middle (MitM) attacks” and “on-path attacks” are often used interchangeably, but they have some differences. Both involve an attacker intercepting and possibly manipulating communication between two parties. However, the difference lies in how these attackers position themselves within the digital network.

In on-path attacks, the hacker is already “on the path” of the data flow – for example, sharing the same server as the sender and the receiver, meaning they are in a position to naturally intercept the data without having to lure it away from its intended route. On the contrary, in MitM attacks, the attacker does not necessarily need to be on the direct communication path between the victim and the destination. In this case, the attacker must take some initiative, such as luring the victim into connecting to a deceitful Wi-Fi network or employing ARP spoofing to weave themselves into the data stream. Once inside, MitM attackers are capable of quietly listening and tampering with the data traveling between the two parties. They can target various protocols and networking layers, from encrypted sessions to IP-based communications.

To summarize, on-path attacks can be considered MitM attacks, but the reverse isn’t always true. On-path attacks represent a subset of the broader MitM category, characterized by their quieter, more passive nature and their strategic placement along the communication route.

Comparison of the concepts of man-in-the-middle attacks and on-path attacks and their main characteristics.

Types of man-in-the-middle attacks

Cybercriminals are incredibly inventive, and they’ve found multiple methods to intercept or alter communications between two parties in man-in-the-middle attacks. Here are some techniques they commonly use:

  • Session hijacking: In this scenario, the attacker places themselves between the victim’s computer and the web server, either by compromising a Wi-Fi network or using special software. They monitor the data being exchanged. If the website doesn’t use secure encryption, the attacker can easily read this data, including cookies containing a session ID. With these captured cookies, the attacker can impersonate the victim and gain unauthorized access to the web application, bypassing the need for a username or password.
  • ARP spoofing: ARP stands for Address Resolution Protocol. It’s a way for computers on a local network to find out each other’s physical (MAC) address. In ARP spoofing, a hacker sends fake ARP messages to trick computers into associating the hacker’s MAC address with an IP address that it doesn’t actually belong to. This way, data meant for one machine goes to the hacker instead.
  • DNS spoofing: DNS stands for Domain Name System. It’s like a phonebook for the internet, matching domain names to IP addresses. In DNS spoofing, the hacker tampers with this matching system. They redirect a domain name to a different IP address, usually a malicious website or server. This way, when you think you’re visiting a trustworthy site, you’re actually being directed elsewhere. The ultimate goal is to encourage users to interact with the counterfeit site, where they might reveal sensitive information.
  • SSL/TLS hijacking: SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols that encrypt the data between your web browser and the server. In this type of attack, a hacker tries to break or bypass the security protocols that protect the communication between your computer and the server – SSL or its updated version, TLS. By doing so, they can intercept or modify the data being exchanged. One common way this is done is by exploiting weaknesses in the SSL/TLS setup, using outdated versions, or taking advantage of misconfigurations.
  • Wi-Fi eavesdropping: In a digital landscape filled with Wi-Fi hotspots, attackers create fraudulent networks that mimic legitimate ones. Unsuspecting users connect to these seemingly authentic hotspots, unknowingly providing attackers with the opportunity to intercept and eavesdrop on their data.
  • HTTP/HTTPS spoofing: In this artful deception, the attacker creates a counterfeit web page that closely mimics a trusted site. Users unknowingly divulge confidential information, believing they are interacting with a legitimate source.
  • Credential sniffing: Credential sniffing involves attackers monitoring network traffic, often within an unprotected or poorly protected network, to capture login credentials. The attacker sniffs (collects) data packets on the network, searching for login credentials or sensitive information.
  • Email hijacking: Email hijacking in a man-in-the-middle attack is when an attacker intercepts or alters emails between two parties without them knowing. The attacker positions themselves in the middle of the email exchange, allowing them to read, change, or reroute the messages. Both parties may remain unaware that their communication is being tampered with.
Infobox about the origin of man-in-the-middle attacks.

Real-life man-in-the-middle attacks

In recent years, hackers have successfully infiltrated various organizations by employing man-in-the-middle attacks. Here are some notable cases:

News clippings of different real cases of man-in-the-middle attacks.

Compromised accounts of 10,000 Office 365 users

A popular man-in-the-middle attack example is the hack of Office 365 accounts. The well-known Lapsus$ hacking group often relies on different tactics to gain unauthorized access to networks and accounts. In 2022, they carried out a successful man-in-the-middle attack that targeted over 10,000 Office 365 users by spoofing the Office 365 landing page. By stealing credentials and session cookies, the attackers bypassed the MFA protocols and gained unauthorized access to victims’ email accounts, subsequently using this foothold to carry out BEC (business email compromise) campaigns targeting other organizations. While there were no reports of major breaches, Microsoft used this case to release a report on how this attack typically happens and how organizations can defend themselves against these attack types. 

Reddit phishing and MitM attack

In a recent incident in 2023, the popular social media platform Reddit was targeted in a carefully crafted phishing attack aimed at one of its employees. Upon clicking the link, the employee was led to a fraudulent yet convincing replica of Reddit’s intranet portal. They entered their login details there, unknowingly handing them over to the attackers. As a result, the contact information of hundreds of employees was exposed. Fortunately, the hackers couldn’t access Reddit’s primary production systems, where the bulk of the data resides. Nonetheless, the incident served as a sobering reminder of the ongoing vulnerabilities and challenges in maintaining robust cyber security measures.

NATO documents exposed in Portuguese government’s breach

In September 2022, the Portuguese Government’s Department of Defense was entangled in a cyber security breach with far-reaching implications. This breach involved the unauthorized leakage of highly sensitive NATO documents, which were put up for sale on the dark web, an alarming development that raised concerns far beyond the nation’s borders. As the investigation unfolded, it became evident that the breach occurred due to insecure communication channels, a critical oversight that allowed the attackers to exfiltrate this classified information. What made this attack even more insidious was its stealthy nature – the attackers operated in the shadows, evading detection while harvesting data shared in the insecure channel.

How to prevent a man-in-the-middle attack

Preventing a man-in-the-middle (MitM) attack requires a proactive approach that involves strengthening your digital defenses and maintaining a vigilant stance. There are many measures individuals and organizations can take for man-in-the-middle attack prevention, including:

  • Try to visit HTTPS websites: Seeing that padlock symbol in the browser or “HTTPS” in the web address gives you a sense of confidence that you’re on a legitimate website. While it’s not foolproof, it is a layer of trust that’s especially important on sites where you’re sharing personal or financial information.
  • Watch for URL spoofing: To detect a spoofed URL, look for the real domain. Sometimes, it is hard to know if the URL is legitimate but complex or if it’s a spoofed URL. Locate the first simple slash or question mark from the left. From there, go back to the left until you reach the second dot.  The area between those two elements is the domain. If it doesn’t match the website you think you are visiting or contains misspellings, do not trust the website. This visual, taken from our e-learning modules, can help you identify all the different parts of an address line (URL):
Screen showing a URL and the five main parts that users need to identify to identify URL spoofing.
  • Use secure networks: Be selective about the networks you connect to. Opt for secure and trusted networks when accessing sensitive information or conducting financial transactions. Avoid public Wi-Fi networks, which are often targets for MitM attacks.
  • Implement strong authentication: Employ multi-factor authentication (MFA) whenever possible. This adds an extra layer of security by requiring more than just a password for access. MFA makes it significantly harder for attackers to impersonate you.
  • Regularly update software: Keep your operating system, web browsers, and security software up to date. Software updates often include security patches that can help protect against MitM attacks. 
  • Be wary of email phishing: Exercise caution when clicking links or downloading email attachments. MitM attackers often initiate attacks through phishing emails. Verify the authenticity of the sender and the content before taking any action.
  • Use Virtual Private Networks (VPNs): Employ a reliable VPN, especially when connecting to public Wi-Fi networks. VPNs encrypt your traffic and route it through secure servers, making it significantly more challenging for MitM attackers to intercept or manipulate your data.
  • Verify digital signatures: When downloading files or software updates, ensure that they are digitally signed by the legitimate publisher. Digital signatures serve as a form of authentication, guaranteeing the integrity of the content.
  • Investigate certificate warnings: When you visit a website, your browser checks the site’s SSL/TLS certificate to ensure it’s valid. If something’s wrong, you receive a warning. If your web browser or email client displays unexpected security certificate warnings or errors, investigate the source of these warnings instead of mindlessly proceeding. They might unveil MitM attempts or compromised security certificates. These warnings usually appear as browser disclaimers saying “Your connection is not secure” or as a popup if you are using an email client.
  • Educate end-users: In organizational settings, educate employees about the significance of security awareness. Encourage them to promptly report any unusual network behavior, warning messages, or security concerns they encounter, fostering a collective defense against MitM threats.

Securing communications: How to protect your organization from MitM attacks

In an era where digital connectivity is an integral part of our lives, understanding the threat of man-in-the-middle (MitM) attacks and being prepared to combat them is paramount. These stealthy adversaries operate in the shadows, seeking to compromise our sensitive data and privacy. Without awareness and preparation, we risk falling victim to their covert tactics.

Training employees to detect and prevent these attacks before they happen is always the best option to keep your organization safe. Our gamified e-learning modules are designed to engage and educate your employees effectively while keeping security awareness at the forefront of their minds. It delivers personalized, story-based content and includes gamification elements for increased engagement.

But awareness training is best when employees can practice what they have learned in real situations. By providing a safe and controlled environment, SoSafe’s phishing simulations mimic real-life attacks that allow organizations to test their employees’ readiness to handle various phishing tactics that are usually used in man-in-the-middle attacks, such as URL spoofing. Through it, you can get an overview of your organization’s current cyber security resilience and strengthen your security culture.

Our ability to navigate the digital realm safely depends on our vigilance and readiness to counter the ever-evolving threat of cyberattacks. By equipping your employees with knowledge about the rising digital threats and implementing robust cyber security measures, you fortify your defenses, safeguard your digital interactions, and stay protected against lurking threats.

Do you want to stay ahead of the cyber game?

Sign up for our newsletter to receive the latest cyber security articles, events, and resources. No spam, only content that truly matters.

Newsletter visual