In 2019, a Lithuanian national named Evaldas Rimasauskas pleaded guilty to stealing over $120 million from Google and Facebook using a sophisticated man in the middle attack scheme. He impersonated a legitimate hardware vendor, intercepted invoice communications, and redirected payments to bank accounts he controlled. The scheme ran for two years before anyone noticed.
That's not a Hollywood script. That's what happens when a threat actor positions themselves between two trusting parties. And your organization is more vulnerable to this than you think.
What Is a Man in the Middle Attack?
A man in the middle attack (MITM) occurs when an attacker secretly intercepts and potentially alters communication between two parties who believe they're talking directly to each other. Think of it as a digital wiretap — except the attacker can also modify what's being said.
The attacker sits between the victim and the resource they're trying to reach — a website, an email server, a banking portal. Every keystroke, every credential, every piece of data passes through the attacker's hands first.
I've investigated incidents where employees logged into what looked like their company's VPN portal, entered their credentials, and handed everything to an attacker sitting on the same coffee shop Wi-Fi. The employee never knew. The attacker had their username, password, and session token within seconds.
How a Man in the Middle Attack Actually Works
MITM attacks aren't magic. They follow predictable patterns. Understanding the mechanics is the first step toward stopping them.
ARP Spoofing on Local Networks
On a local network, attackers use Address Resolution Protocol (ARP) spoofing to associate their MAC address with the IP address of a legitimate gateway. All traffic intended for the router flows through the attacker's machine instead. Tools like Ettercap and Bettercap make this disturbingly simple.
I've seen this used in corporate environments where guest Wi-Fi and production networks weren't properly segmented. One compromised device on the guest network gave the attacker visibility into internal traffic.
DNS Spoofing and Pharming
DNS spoofing redirects victims to fake websites by corrupting the DNS cache. Your employee types in the correct URL for your payroll system. The compromised DNS server sends them to a pixel-perfect replica controlled by the attacker. Credentials entered on that page go straight to the threat actor.
SSL Stripping
SSL stripping downgrades a secure HTTPS connection to unencrypted HTTP. The victim thinks they're browsing securely, but the attacker has removed the encryption layer. Moxie Marlinspike demonstrated this technique at Black Hat DC 2009, and variations of it remain effective against organizations that don't enforce HTTP Strict Transport Security (HSTS).
Rogue Wi-Fi Access Points
This is the attack I encounter most frequently during security assessments. An attacker sets up a Wi-Fi hotspot named "Airport_Free_WiFi" or "Marriott_Guest" in a public location. Victims connect, and every packet they send passes through the attacker's device. Combined with SSL stripping, this gives the attacker access to login credentials, email content, and session cookies.
The Real-World Damage: Beyond Theory
The Verizon 2024 Data Breach Investigations Report found that credential theft remains a factor in nearly 50% of breaches. MITM attacks are one of the most reliable methods for harvesting those credentials. The report is available at Verizon's DBIR page.
In the financial sector, I've seen man in the middle attack techniques used to intercept wire transfer instructions. An attacker compromises an email conversation between a company and its bank, then modifies the routing numbers in a payment instruction. The money lands in the attacker's account. By the time the legitimate recipient asks where the funds are, the money is gone.
Business email compromise (BEC), which frequently relies on MITM positioning, caused $2.9 billion in losses according to the FBI's Internet Crime Complaint Center (IC3) 2023 annual report. That makes it the single most financially damaging category of cybercrime reported to the FBI.
How to Detect a Man in the Middle Attack
Detection is harder than prevention. But there are warning signs your team should recognize.
- Unexpected certificate warnings: If a browser warns about an invalid or changed SSL certificate for a site your team visits daily, take it seriously. Don't click through.
- Unusual network latency: MITM attacks add a hop. If connections to familiar services suddenly feel sluggish, investigate.
- DNS anomalies: Monitor DNS query logs for domains resolving to unexpected IP addresses.
- Session hijacking indicators: Users getting logged out unexpectedly or seeing sessions active from unfamiliar locations.
Network monitoring tools that inspect ARP tables and flag inconsistencies are essential. If your security team isn't monitoring for ARP spoofing on internal networks, you have a blind spot.
Five Defenses That Actually Stop MITM Attacks
1. Enforce HTTPS Everywhere with HSTS
Configure your web applications and internal tools to use HSTS. This tells browsers to only connect via HTTPS, making SSL stripping attacks fail. CISA provides detailed guidance on implementing transport layer security at cisa.gov.
2. Deploy Multi-Factor Authentication
Even if an attacker captures credentials through a MITM attack, multi-factor authentication adds a layer they can't easily bypass. Hardware security keys using FIDO2 are particularly effective because they're resistant to phishing and MITM relay attacks — unlike SMS-based codes, which can be intercepted.
3. Adopt a Zero Trust Architecture
Zero trust assumes the network is already compromised. Every access request is verified, regardless of where it originates. This means even if an attacker establishes a man in the middle position on your network, lateral movement and data access require additional authentication and authorization at every step.
4. Use Certificate Pinning for Critical Applications
Certificate pinning ensures your application only accepts a specific certificate or public key for a given server. If an attacker tries to present a fraudulent certificate during a MITM attack, the connection fails. This is especially important for mobile apps and API communications.
5. Train Your People — Seriously
Technology alone doesn't solve this. Your employees are the ones connecting to rogue Wi-Fi, clicking through certificate warnings, and entering credentials into spoofed login pages. Social engineering is the gateway to most MITM attacks.
A structured cybersecurity awareness training program teaches your staff to recognize the warning signs — suspicious networks, unexpected certificate errors, and unusual login behavior. Pair that with regular phishing awareness training for your organization to build the muscle memory that stops social engineering attacks before they succeed.
Can a VPN Prevent a Man in the Middle Attack?
A VPN encrypts traffic between your device and the VPN server, which prevents attackers on the local network from reading intercepted data. If your employee connects to a rogue Wi-Fi hotspot but routes all traffic through a corporate VPN, the attacker sees only encrypted gibberish.
However, a VPN isn't a silver bullet. If the attacker compromises the VPN endpoint itself, or if the employee connects to a phishing site after the VPN tunnel, the VPN provides no protection. VPNs are one layer in a defense-in-depth strategy — not a standalone solution.
The Network Segmentation Gap Most Companies Ignore
Here's something I see constantly during assessments: flat networks. Everything — printers, IoT devices, employee workstations, servers — sits on the same network segment. An attacker who gains a foothold on a smart thermostat can ARP spoof their way into intercepting traffic between workstations and domain controllers.
Proper network segmentation isolates critical assets. Your guest Wi-Fi should never touch your production network. Your IoT devices should sit on their own VLAN with no route to sensitive systems. This doesn't just reduce MITM risk — it limits the blast radius of any compromise.
Your Exposure Is Larger Than You Think
Remote work has expanded the attack surface dramatically. Your employees connect from home networks, airport lounges, hotel rooms, and coworking spaces. Every one of those environments is a potential MITM staging ground.
The organizations I see handling this well share three traits: they enforce VPN usage for all corporate access, they mandate multi-factor authentication on every application, and they invest in ongoing security awareness training that covers real-world attack scenarios — not just annual compliance checkboxes.
A man in the middle attack succeeds because the victim trusts the connection. Break that assumption. Verify everything. Encrypt everything. Train everyone.
Start by assessing where your gaps are. Then build the layers that make interception pointless.