What is a man-in-the-middle attack and how can I protect my organization?

Much of the flow of modern, global communication and information runs between endpoints via browsers, networks and applications. Threat actors look for opportunity or weakness to inject themselves and steal sensitive corporate data or trick users into divulging passwords or entry to systems. This is known as a man-in-the-middle attack (MITM) and corporate leaders should make it a priority to understand how it works and how best to mitigate its impact.

A man-in-the-middle attack involves a malicious third-party intercepting communications between two other parties. MITM attacks, also known as adversary in the middle (AITM) attacks, aim to be as covert as possible—sitting silently between message sender and receiver, unseen.

A man-in-the-middle attack could target data transfers between machines or communications between individuals. It could involve passively eavesdropping on those communications or using malware or other techniques to redirect one party unwittingly to a spoofed destination. It may even see the attacker impersonate an individual to trick them into performing specific actions, such as making big-money wire transfers through a business email compromise (BEC) attack

Typically, the two stages of a typical man-in-the-middle attack include intercepting data and the decrypting of that data.

Here's a short list of some common attacks:

An email attack is an attack in which a hacker is able to compromise one party's account (e.g., via phishing) and eavesdrop on their conversations. They could then step in to reroute messages and/or take additional actions such as changing payment instructions.

This attack often involves setting up a spoofed hotspot in a public place, waiting for victims to log on and then observing their communications. Alternatively, attackers could carry out ARP poisoning/spoofing, where they link their MAC (media access control) address with a legitimate IP address on the same network. This, in effect, tricks the local router and legitimate IP address into using the attacker device as a de facto gateway, through which all communications are routed. In this way, the attacker could grab session tokens to give them access to an entire session, for example.

This enables an attacker to reroute traffic bound for a legitimate site to a server under their control using a fake IP address.

This form of interception also enables attackers to redirect users away from legitimate sites and to servers under their control—this time by accessing a domain name system (DNS) server and altering its records.

This is used in so-called "man-in-the-browser" attacks. Installing malware on a victim's device (e.g., via phishing) redirects their traffic to fake websites and networks.

Assuming the traffic is encrypted (which it isn't if the attacker has hijacked email communications), there are several ways to make it readable again. These include:

HTTPS spoofing
This is when a fake certificate is sent to the victim's browser, tricking it into verifying a compromised application. That enables the attacker to read any data en route to the application.

SSL hijacking
This involves forged authentication keys¹ (sent by the attacker) to the user and application, tricking them into thinking it's a secure connection.

SSL stripping
This form of decryption involves Transport Layer Security (TLS) authentication sent from an application/website is downgraded from HTTPS to HTTP. This reveals the victim's entire session/traffic to the attacker.

By eavesdropping in this way and directing victims to phishing and other sites, attackers are able to steal employee passwords, highly regulated customer information, IP addresses and private messages. They could also use MITM attacks to install malware on a victim's device or trick them into doing their bidding by impersonating the intended recipient of the victim's communications.

As such, MITM attacks could cause potentially serious financial and reputational damage stemming from data theft, BEC and resulting compliance, legal, customer churn and other impacts.

MITM attacks by their very nature are designed to go undetected. A few notable examples below highlight the variety of threats in this category:

• A massive MITM campaign started in 2021 targeted as many as 10,000 Microsoft customers. Attackers sent victims a phishing email that directed them to a phishing page designed to harvest credentials and session cookies. The latter were then used to bypass multi-factor authentication (MFA), access the victims' email accounts and use them to conduct BEC campaigns.
• An attacker spoofed the email domains of an Israeli startup CEO and his account manager at a Chinese VC firm and sent fake messages to both parties in what is known as a business email compromise (BEC). This enabled the threat actor to conduct a man-in-the-middle attack where both parties were unwittingly communicating with the hacker. It led to a $1 million wire transfer to the attacker.
• Drones carrying Wi-Fi devices, laptops and batteries were used in an attempted MITM attack on a large U.S. financial firm.

While all industries should be concerned about MITM attacks, those with large numbers of users and devices accessing their networks, such as healthcare and education, have a higher threat profile.

Greater adoption of HTTPS and advances in browser technology have reduced risk for organizations. But even HTTPS connections aren't 100% safe from advanced attacks, as noted above. On the other hand, recent developments may have made attacks more likely, including:

• The use of work laptops and devices at home that may not be well secured with anti-malware or software updates
• Remote workers who may be more distracted than office-bound colleagues (and therefore more likely to click on phishing links, for example)
• The use of public Wi-Fi while out of the office
• Poor cyber hygiene, such as not using MFA
• The proliferation of mobile apps to access corporate resources—attackers can inject code into legitimate applications and use malicious apps to intercept data, or even install their own proxy to read data between devices and remote APIs
• The growth in enterprise Internet of Things (IoT) deployments. IoT endpoints are often not updated and may be protected only by weak passwords. That provides an opportunity to hijack communications and send tampered data to the cloud masquerading as the legitimate endpoint. This technique could be used to sabotage equipment and business processes