Man-in-the-Middle Attack: What It Is and How It Works

What Is a Man-in-the-Middle Attack?

A man-in-the-middle (MITM) attack is a cyber attack in which an adversary secretly inserts themselves between two communicating parties, intercepting, reading, and potentially altering the data exchanged between them without either party's knowledge. Unlike attacks that target a single endpoint directly, a MITM attack subverts the communication channel itself. The adversary can passively eavesdrop on credentials, financial data, and intellectual property, or actively forge responses to manipulate transactions and inject malware.

The concept is sometimes illustrated as the "Alice, Bob, and Eve" model:

• Alice believes she is talking to Bob
• Bob believes he is talking to Alice
• Eve sits silently between them relaying (and reading) every message

Alternative names include adversary-in-the-middle (AITM), machine-in-the-middle, on-path attack, and manipulator-in-the-middle. The AITM label, used in the MITRE ATT&CK framework, better reflects that the intercepting entity is often automated tooling rather than a human operator. This article uses both terms interchangeably.

MITM attacks remain relevant because encrypted traffic has made organizations complacent. HTTPS does not protect against SSL stripping or forged certificates when mutual authentication is absent or certificate validation is weak.

How a Man-in-the-Middle Attack Works

MITM and AITM attacks share a consistent two-phase structure regardless of the specific technique used.

Phase 1: Interception

The attacker must position themselves on the communication path between the two targets.

Common methods include:

1. Rogue Wi-Fi hotspot: The attacker broadcasts an access point with a name that mimics a legitimate network (a coffee shop, hotel, or airport). Devices that auto-connect hand all their traffic to the attacker's machine.
2. ARP spoofing: On a local area network, the attacker broadcasts forged Address Resolution Protocol (ARP) messages that map their own MAC address to a legitimate IP address, causing traffic destined for a router or host to flow through the attacker's device instead.
3. DNS spoofing: The attacker poisons a DNS cache to return fraudulent IP addresses for legitimate domain names, redirecting users to attacker-controlled servers.
4. IP spoofing: The attacker alters packet headers to impersonate a trusted host, causing traffic to reach the attacker rather than the intended destination.

Phase 2: Decryption

Once traffic is diverted, encrypted data must be readable to be useful.

With readable traffic, the attacker can eavesdrop passively, alter data in transit, or inject malicious payloads.

Types of Man-in-the-Middle Attacks

MITM attacks are categorized by their interception vector and their objective. The most significant types in enterprise environments are:

Network-layer attacks

• ARP spoofing and DNS spoofing operate at the network layer. ARP spoofing is particularly dangerous on corporate LANs because any device on the same broadcast domain can send forged ARP replies without credentials. DNS spoofing affects users enterprise-wide if a central resolver is compromised.
• mDNS spoofing targets Multicast DNS, used by printers, smart displays, and IoT devices on trusted internal segments. A forged mDNS response can redirect internal service traffic to an attacker-controlled host.

Application-layer attacks

• Email hijacking involves taking control of a corporate email account to monitor financial communications and, at the right moment, substituting fraudulent payment instructions, closely related to business email compromise (BEC).
• Man-in-the-browser attacks use malware on the victim's browser to intercept and modify web transactions in real time, even over a legitimately encrypted connection.
• AITM phishing combines a reverse-proxy with credential-harvesting pages. The attacker proxies the real site to the victim, capturing live session cookies along with credentials, defeating standard multi-factor authentication in real time.

Physical and proximity attacks

• Evil-twin attacks use a rogue access point that mimics a legitimate Wi-Fi network. The attacker does not need to be on the network at all; physical proximity to the target is sufficient.

Why Man-in-the-Middle Attacks Matter for Enterprise Data Security

From an enterprise perspective, a successful MITM attack is a data breach in motion. The attacker has full visibility into whatever flows across the intercepted channel: login credentials, session tokens, source code, financial instructions, customer records, and confidential communications.

Credential and session theft

Stolen credentials let an attacker authenticate to corporate systems, SaaS applications, and cloud environments as the legitimate user. Stolen session cookies provide the same access without the password and bypass MFA because authentication was already completed before the cookie was issued.

Data integrity violations

MITM attacks can alter data, not just steal it. A $10,000 payment instruction can become $100,000; a software update can be replaced with a malicious binary. Integrity violations are often harder to detect than straightforward data exfiltration.

Compliance and regulatory exposure

Any breach of data in transit carries regulatory consequences. GDPR requires appropriate technical measures to protect personal data during transmission, and PCI DSS mandates strong cryptography for cardholder data in transit. A successful MITM attack that exposes regulated data triggers notification obligations and potential fines regardless of where the underlying vulnerability resided.

Supply chain and third-party risk

MITM attacks do not have to target the enterprise directly. An attacker intercepting communications between a company and a trusted vendor can compromise the enterprise indirectly. The 2011 DigiNotar breach illustrates this: forged certificates were issued for Google, Microsoft, and other major services after the root compromise occurred at a third-party certificate authority.

Common Challenges and Misconceptions

MITM defenses are well understood, yet several persistent misconceptions reduce their effectiveness in practice.

• "HTTPS means the connection is safe." HTTPS protects data in transit when the certificate chain is valid and mutual authentication is in place. SSL stripping and forged certificates break this assumption. The padlock icon confirms a TLS session exists; it does not confirm the other end is the intended server.
• "We only need to worry about public Wi-Fi." MITM attacks are equally viable on corporate LANs. ARP spoofing, mDNS spoofing, and rogue access points succeed in wired and wireless enterprise environments. The 2017 Equifax breach exposed data for roughly 147 million people partly through an unpatched vulnerability that enabled MITM-style interception in its application layer.
• "MFA stops MITM attacks." Traditional MFA stops credential replay, but AITM phishing proxies defeat it by capturing the live session cookie after MFA completes. Phishing-resistant MFA standards such as FIDO2/WebAuthn counter this because the authentication is bound to the legitimate origin URL.
• "Encrypted traffic is uninspectable and therefore safe." Attackers use SSL stripping and certificate spoofing to convert encrypted sessions into plaintext before data reaches the intended endpoint.
• "Detection is straightforward." MITM attacks are designed to be transparent to both parties. Without network monitoring, certificate transparency logging, or anomaly detection, a passive MITM can operate undetected for extended periods.

How to Prevent Man-in-the-Middle Attacks

Effective MITM prevention requires controls at the network, application, and endpoint layers. No single measure is sufficient; defense in depth is the appropriate model.

Enforce strong transport encryption

1. Deploy TLS 1.2 or TLS 1.3 on all servers; disable SSL 3.0, TLS 1.0, and TLS 1.1.
2. Implement HTTP Strict Transport Security (HSTS) with a long max-age directive covering subdomains. HSTS instructs browsers to refuse HTTP connections entirely, preventing SSL stripping on repeat visits.
3. Use Certificate Transparency monitoring for high-value services to detect forged certificates before they are trusted.

Harden authentication

1. Deploy phishing-resistant MFA using FIDO2/WebAuthn or hardware security keys. These standards bind authentication to the legitimate origin URL, making AITM proxy attacks ineffective.
2. Enforce mutual TLS (mTLS) for service-to-service communications so both parties must present valid certificates, eliminating service-layer impersonation.

Secure the network layer

1. Segment networks using VLANs and firewall rules to limit ARP spoofing blast radius.
2. Enable Dynamic ARP Inspection (DAI) on managed switches to reject forged ARP messages before they poison caches.
3. Require WPA3 or WPA2-Enterprise (802.1X) on all wireless networks and disable auto-connect to open networks on corporate devices.
4. Use DNSSEC and validate DNS responses on clients to limit DNS spoofing opportunities.

Monitor and detect

1. Deploy network detection tools to identify ARP spoofing anomalies, unexpected certificate changes, and TLS downgrade attempts.
2. Monitor Certificate Transparency logs for unauthorized certificates issued for your domains.
3. Conduct penetration tests that include network-layer MITM scenarios to verify controls are functioning.

Endpoint and user controls

1. Keep endpoint software patched. The 2024 Tesla vehicle attack demonstrated that timely patching of a known credential-handling vulnerability would have closed the attack vector.
2. Train users to verify HTTPS certificates before submitting credentials, avoid unrecognized Wi-Fi networks, and report certificate warnings rather than clicking through them.
3. Require a VPN for employees working on untrusted networks.

How Cyberhaven Addresses Man-in-the-Middle Attacks

Cyberhaven operates at the layer where MITM attacks do their lasting damage: data movement.

Data Lineage traces every piece of sensitive data from its origin through every copy, transformation, and transmission. When a MITM attack results in data reaching an unauthorized destination, Data Lineage provides the forensic chain of custody to establish exactly what was in transit, where it came from, and what happened to it, compressing investigation timelines significantly.

Cyberhaven Data Loss Prevention (DLP) monitors and controls data movement at the endpoint and browser layer regardless of transport-layer encryption. If a MITM attack facilitates credential theft and session hijacking, DLP detects the subsequent anomalous data transfers: bulk downloads, uploads to external cloud storage, or email forwarding of sensitive files. These behavioral signals trigger policy enforcement before exfiltration completes.

Cyberhaven Insider Risk Management (IRM) adds behavioral context. When an account behaves anomalously after a suspected MITM event, Linea AI identifies the deviation and surfaces it for investigation, closing the gap between network-layer compromise and data-layer damage.

To better understand the modern threat landscape, and how to defend your organization's vital data, view our latest webinar, "Why Endpoint DLP Is the Foundation of Modern Data Security."

Frequently Asked Questions

What is a man-in-the-middle attack?

A man-in-the-middle (MITM) attack is a cyberattack in which an adversary secretly positions themselves between two communicating parties to intercept, read, and potentially alter the data being exchanged. Both parties believe they are communicating directly with each other while the attacker has full visibility into the communication channel.

What is the difference between a MITM attack and an adversary-in-the-middle (AITM) attack?

The terms refer to the same class of attack. "Adversary-in-the-middle" (AITM) is the more recent terminology adopted by frameworks such as MITRE ATT&CK and used in the Verizon DBIR. It avoids gendered language and better reflects that the intercepting entity is often automated tooling or malware rather than a human operator sitting at a keyboard.

Are MITM attacks illegal?

Yes. Intercepting electronic communications without authorization violates computer fraud and wiretapping laws in virtually every jurisdiction. In the United States, the Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA) both apply. In the EU, MITM attacks violate the Computer Misuse Directive and national criminal codes. Authorized penetration testers may simulate MITM attacks with explicit written permission from the asset owner.

Can MITM attacks bypass multi-factor authentication?

Traditional MFA (such as TOTP codes or SMS one-time passwords) does not stop AITM phishing attacks, which proxy the legitimate site in real time and capture the valid session cookie after MFA is completed. Phishing-resistant MFA standards such as FIDO2/WebAuthn bind the authentication to the legitimate origin URL, making them resistant to proxy-based MITM scenarios.

What are the most common signs of a MITM attack?

Indicators include unexpected TLS certificate warnings in the browser, certificate issuer changes for familiar sites, unexplained account lockouts or unauthorized logins following connection to a new network, and anomalous DNS resolution (domains resolving to unexpected IP addresses). Network monitoring tools can surface ARP table inconsistencies and unusual traffic routing patterns that are invisible to end users.

How does SSL stripping work?

SSL stripping downgrades a secure HTTPS connection to an unencrypted HTTP connection by intercepting the initial redirect. When a browser requests a site via HTTP and the server issues a redirect to HTTPS, the attacker intercepts that redirect, maintains their own encrypted connection with the server, and serves the HTTP version to the victim. The victim sees an unencrypted page without the padlock indicator while the attacker reads all traffic in plaintext. HTTP Strict Transport Security (HSTS) defeats this by instructing browsers to refuse HTTP connections entirely for domains it has previously visited over HTTPS.