What is a Man-in-the-Middle Attack?

MitM Attack Types

ARP Spoofing

On local area networks, ARP (Address Resolution Protocol) spoofing sends falsified ARP messages that associate the attacker's MAC address with the IP address of another host, redirecting traffic through the attacker's system. Once positioned as the network gateway, the attacker can intercept, read, and modify all traffic between local hosts and external destinations.

SSL Stripping

SSL stripping downgrades HTTPS connections to HTTP by intercepting the initial HTTP request before it redirects to HTTPS, serving the victim an unencrypted connection while maintaining an encrypted connection to the legitimate server. From the victim's perspective, they are browsing normally; from the attacker's perspective, all traffic is visible in plaintext. HTTP Strict Transport Security (HSTS) headers defend against SSL stripping by instructing browsers to always connect using HTTPS.

Adversary-in-the-Middle Phishing

The most consequential modern MitM variant is AiTM phishing, which proxies authentication to cloud services in real time to capture session tokens after MFA completion. This technique has bypassed MFA at MGM, Caesars, Twilio, Uber, and hundreds of other organizations by sitting between the victim and the legitimate service during authentication.

Public Wi-Fi and Rogue Access Points

Public Wi-Fi networks — coffee shops, airports, hotels — are the most accessible environment for MitM attacks because network participants are anonymous and the infrastructure is not controlled by a trusted organization. Rogue access points with names similar to legitimate networks can capture connections from victims who connect thinking they are on a legitimate network. SSL stripping and traffic inspection can reveal unencrypted communications from connected devices.

Corporate policy requiring VPN use on any non-corporate network provides meaningful protection against public Wi-Fi MitM by encrypting all traffic before it leaves the device, preventing any network-level interceptor from reading communications content.

Defending Against MitM

Encryption is the primary defense: HTTPS with HSTS prevents SSL stripping; VPNs protect traffic on untrusted networks; certificate pinning prevents certificate substitution attacks. Certificate transparency monitoring detects fraudulent certificates issued for organizational domains that could enable MitM with apparently valid certificates. Network monitoring for ARP anomalies detects local network ARP spoofing attacks. Phishing-resistant MFA — FIDO2 — prevents session token capture even when AiTM phishing successfully proxies authentication by cryptographically binding credentials to the legitimate domain.

Real-World Example: AiTM Phishing Bypasses MFA at Scale

Microsoft's threat intelligence team documented a large-scale AiTM phishing campaign in 2022 that targeted over 10,000 organizations. The campaign used Evilginx2, an open-source adversary-in-the-middle framework, to proxy Microsoft 365 authentication in real time. Victims received convincing phishing emails, clicked to a page that proxied their actual Microsoft 365 login session, completed MFA as normal, and had their session tokens captured. Attackers then used the captured tokens to access victim email accounts to launch BEC attacks from legitimate accounts.