In 2015, a Belgian company called Crelan Bank lost over €70 million to a sophisticated fraud scheme that began with attackers intercepting email communications between executives. The threat actors positioned themselves between two parties, manipulated invoices, and redirected payments — all without either side realizing the conversation had been compromised. That's a man in the middle attack at its most devastating, and variations of this technique are growing more common every year.

If you've ever connected to airport Wi-Fi, logged into your bank from a coffee shop, or sent sensitive data over an unsecured connection, you've been a potential target. This post breaks down exactly how these attacks work, what they look like in the real world, and the specific steps your organization needs to take right now.

What Is a Man in the Middle Attack?

A man in the middle attack (MITM) occurs when a threat actor secretly intercepts and potentially alters communication between two parties who believe they're talking directly to each other. The attacker becomes an invisible relay — reading, injecting, or modifying data in transit.

Think of it like someone secretly opening your mail, reading the contents, resealing the envelope, and sending it along. Neither the sender nor the receiver knows anything happened. Except in the digital world, the "mail" might contain login credentials, financial data, session tokens, or proprietary business information.

The Verizon 2024 Data Breach Investigations Report found that credential theft remains one of the top attack vectors in confirmed breaches, and MITM attacks are a primary method attackers use to harvest those credentials. You can read the full report at Verizon's DBIR page.

How a Man in the Middle Attack Actually Works

I've seen security teams treat MITM attacks as theoretical. They're not. Here's what actually happens, step by step.

Step 1: The Attacker Gains a Position

The attacker first needs to insert themselves between you and the server you're communicating with. The most common methods include:

  • Rogue Wi-Fi hotspots: Setting up a fake access point named "Starbucks_WiFi" or "Hotel_Guest" that your device connects to automatically.
  • ARP spoofing: Poisoning the Address Resolution Protocol cache on a local network so traffic meant for the router flows through the attacker's machine instead.
  • DNS spoofing: Corrupting DNS records so that when you type your bank's URL, you're redirected to a perfect clone controlled by the attacker.
  • SSL stripping: Downgrading your HTTPS connection to HTTP so the attacker can read the traffic in plaintext.

Step 2: Interception and Harvesting

Once positioned, the attacker captures everything flowing through the connection. Usernames. Passwords. Session cookies. API keys. Credit card numbers. In many cases, the attacker uses tools like Wireshark, Ettercap, or Bettercap — all of which are publicly available and well-documented.

The victim sees nothing unusual. The website loads. The email sends. The login appears to work. Meanwhile, every keystroke has been captured.

Step 3: Exploitation

With stolen credentials, the attacker can move laterally across your network, escalate privileges, deploy ransomware, or exfiltrate sensitive data. One intercepted session token can give an attacker full access to a cloud platform without ever needing a password.

Real-World MITM Attacks You Should Know About

These aren't hypothetical scenarios. MITM attacks have caused massive damage to real organizations.

The Lenovo Superfish Incident

In 2015, Lenovo shipped consumer laptops pre-installed with an adware program called Superfish. The software installed its own root certificate, allowing it to intercept encrypted HTTPS traffic to inject ads. Security researchers quickly discovered that this created a massive MITM vulnerability — any attacker who extracted the Superfish private key (which was the same across all affected devices) could intercept encrypted communications on any of those laptops. The FTC took action against Lenovo, resulting in a settlement requiring the company to get consent before pre-installing adware.

Wi-Fi Pineapple Attacks at Conferences

At security conferences like DEF CON, researchers routinely demonstrate how quickly they can set up rogue access points and capture credentials from attendees who connect carelessly. These demonstrations use devices like the Wi-Fi Pineapple, which automates the creation of evil twin networks. If it happens to security professionals at a hacking conference, imagine what happens at your company's next trade show.

BGP Hijacking and Nation-State MITM

In 2018, researchers documented cases where internet traffic destined for major organizations was rerouted through suspicious networks due to Border Gateway Protocol (BGP) hijacking. This technique allows nation-state-level attackers to perform MITM interception on a massive scale, capturing traffic from entire organizations or even countries.

The $4.88M Reason Your Team Needs to Understand This

According to IBM's 2024 Cost of a Data Breach Report, the global average cost of a data breach reached $4.88 million. Credential theft — often facilitated by MITM attacks, phishing, and social engineering — is one of the most frequent initial attack vectors.

Your employees are the first line of defense. When they don't understand how a man in the middle attack works, they connect to unsecured Wi-Fi, ignore certificate warnings, and transmit sensitive data over unencrypted channels. Every one of those behaviors is an open door.

That's why structured cybersecurity awareness training isn't optional anymore. It's the single most cost-effective investment you can make to reduce human-layer risk across your organization.

How to Detect a Man in the Middle Attack

Detection is hard. That's what makes MITM attacks so dangerous. But there are telltale signs your team should watch for:

  • Unexpected certificate warnings: If a browser suddenly warns that a certificate is untrusted or doesn't match the domain, stop. Don't click through. This is often the only visible sign of an active MITM attack.
  • Unusual network latency: MITM relays add a small delay. If a normally fast connection suddenly feels sluggish, investigate.
  • HTTP instead of HTTPS: If a site you normally access over HTTPS suddenly loads over HTTP, an SSL stripping attack may be in progress.
  • Duplicate or rogue access points: Your IT team should regularly scan for unauthorized wireless access points on your network.
  • Abnormal ARP tables: Two different IP addresses mapping to the same MAC address is a classic indicator of ARP spoofing.

CISA provides detailed guidance on network monitoring and detection strategies at cisa.gov/topics/cybersecurity-best-practices.

7 Practical Steps to Prevent MITM Attacks

Prevention requires a layered approach. No single control stops every variant. Here's what actually works.

1. Enforce HTTPS Everywhere

Deploy HSTS (HTTP Strict Transport Security) across all your web properties. This tells browsers to only connect via HTTPS, blocking SSL stripping attacks entirely. Ensure all internal applications use TLS 1.2 or higher.

2. Implement Multi-Factor Authentication

Even if an attacker captures a password through a MITM attack, multi-factor authentication (MFA) adds a second barrier. Use phishing-resistant MFA like FIDO2 hardware keys rather than SMS codes, which can also be intercepted.

3. Deploy Certificate Pinning

For critical applications, certificate pinning ensures the app only accepts a specific certificate or public key. If an attacker presents a fraudulent certificate during a MITM attempt, the connection fails instead of proceeding.

4. Use a VPN on Untrusted Networks

When your employees travel, they should route all traffic through a corporate VPN. This encrypts the entire connection from their device to your network, making local MITM attacks on public Wi-Fi ineffective.

5. Adopt a Zero Trust Architecture

Zero trust assumes every network is hostile. Every access request is verified, regardless of whether the user is inside or outside the corporate perimeter. NIST's Zero Trust Architecture guidelines at nist.gov provide the foundational framework.

6. Segment Your Network

Network segmentation limits the blast radius of any successful MITM attack. If an attacker compromises a guest Wi-Fi segment, they shouldn't be able to reach your production databases or Active Directory servers.

7. Train Your People — Continuously

Technical controls fail when humans bypass them. An employee who clicks through a certificate warning, connects to a rogue hotspot, or falls for a phishing email that sets up a MITM relay undermines every technical defense you've built.

Regular phishing awareness training for organizations reduces the likelihood that your employees will fall for the social engineering that often precedes or accompanies MITM attacks. Phishing simulations teach people to recognize suspicious behavior before it becomes a data breach.

MITM Attacks and Phishing: The Connection Most Teams Miss

Here's what I want you to understand: man in the middle attacks rarely happen in isolation. They're almost always part of a larger attack chain.

A typical sequence looks like this:

  • An employee receives a phishing email with a link to a spoofed login page.
  • The spoofed page acts as a real-time MITM proxy — it captures the employee's credentials and session token as they log in.
  • The attacker uses the stolen session token to bypass MFA and access the real application.
  • From there, it's lateral movement, privilege escalation, and data exfiltration.

This technique, sometimes called adversary-in-the-middle (AiTM) phishing, has been documented extensively by Microsoft's threat intelligence team. It's not exotic. It's happening right now against organizations of every size.

That's why security awareness training has to cover both phishing recognition and network security hygiene. They're two sides of the same coin.

Does HTTPS Completely Prevent Man in the Middle Attacks?

No. HTTPS significantly reduces the risk, but it doesn't eliminate it. Here's why:

  • Compromised certificate authorities: If an attacker compromises a CA (as happened in the DigiNotar breach in 2011), they can issue valid-looking certificates for any domain.
  • SSL stripping on misconfigured sites: If your site doesn't enforce HSTS, an attacker can downgrade the connection before encryption is established.
  • User behavior: If a user clicks through a certificate warning, HTTPS can't help them. The encryption is only as strong as the trust chain behind it.
  • Corporate TLS inspection: Many organizations use TLS-intercepting proxies for security monitoring. If these systems are misconfigured or compromised, they become the MITM.

HTTPS is necessary but not sufficient. Layer it with MFA, certificate pinning, network segmentation, and user training for real protection.

Your Action Plan for This Week

Don't wait for an incident. Here's what you can do in the next five business days:

  • Monday: Audit your organization's Wi-Fi infrastructure. Identify and eliminate any rogue or unauthorized access points.
  • Tuesday: Verify HSTS is enabled on all external-facing web applications. Check TLS configurations for deprecated protocols.
  • Wednesday: Review your MFA deployment. Ensure all critical systems use phishing-resistant MFA, not just SMS codes.
  • Thursday: Run a phishing simulation targeting your most at-risk departments — finance, HR, and executive teams.
  • Friday: Enroll your team in structured cybersecurity awareness training that covers MITM attacks, credential theft, and social engineering tactics.

A man in the middle attack succeeds when organizations assume their connections are secure and their people know better. In my experience, both assumptions are usually wrong. The organizations that actually prevent these attacks are the ones that verify everything, trust nothing, and train continuously.

Start this week. Your network — and your budget — will thank you.