In this article, we explain what a man-in-the-middle (MitM) attack is and explore the various types and examples. We'll break down the risks these attacks pose and provide real-world man in the middle attack examples. By the end, you'll understand how MitM attacks work, how to recognize them, and the key cybersecurity strategies and steps you can take to protect yourself and your business.
How Man-in-the-Middle Attacks Work
Man-in-the-Middle (MitM) attacks occur when cybercriminals position themselves between two parties who believe they are directly communicating with each other - in order to steal, modify, or manipulate data.
Interception – The attacker gains access to a network or communication channel.
Eavesdropping – The attacker passively listens and captures data, such as login credentials or financial details.
Manipulation – The attacker may modify messages, inject malicious code, or redirect transactions without the victim knowing.
Execution – The attacker exploits the stolen information for fraud, identity theft, or system infiltration.
MitM attacks can occur on public Wi-Fi, during financial transactions, or even within corporate computer networks. They often go unnoticed until damage is done—whether it’s stolen login credentials, financial fraud, or leaked sensitive business data.
What are common man in the middle attacks techniques?
Man-in-the-middle attacks can take many forms, but they all involve an attacker secretly intercepting and manipulating communication between two parties. Understanding the most common methods used in these attacks can help you recognize potential threats and take steps to protect your data.
1. Business Email Compromise (BEC): The Most Dangerous & Prevalent MitM Tactic You Might Be Ignoring
The sharp increase in Business Email Compromise (BEC) and similar attacks has left many organizations urgently seeking better protection. As organizations rely on physical servers less and the cloud more, we see bad actors focused on ransomware less and and targeting cloud environments more, specifically email.
MFA Isn't Enough.
Business Email Compromise is on the rise—and even MFA isn’t enough. With man-in-the-middle attacks, bad actors can steal your credentials and MFA codes, making account takeovers look completely legitimate.
Multifactor Authentication used to be a great way to increase security. However, bad actors are bypassing MFA by using Man in the Middle Attacks. This video explains how they are bypassing MFA by sending users to fake websites designed to steal credentials using phishing texts or emails such as:
"You have received a voicemail, click to hear"
"Your password has expired, click here to change"
"You have a received a secure message, click here to access"
How Phishing Emails Open the Door to Man-in-the-Middle Attacks
Phishing remains one of the most common tactics used by attackers to gain initial access to corporate systems. Bad actors often use phishing emails to gain initial access. If an employee clicks on the link in the phishing email they are brought to a fake website that captures their username, password, and MFA.
The bad actor uses this information to login and gain control over a victim’s online account. Once you have access to somebody's email account, and you have all the other accounts in that particular company, you now have potentially all of their contacts, and you can just jump from company to company.
AI Is Supercharging Cybercriminals’ Capabilities
Bad actors are also now more sophisticated with access to artificial intelligence. They are using AI-based tools that make crafting emails, texts, and other content faster, easier, and harder to detect. AI also makes it easier to shift through all of the data they’re looking at. Bad actors can easily read through 10 or more years of email and ask AI to show emails that have financial payment information. AI can show the bad actor who does accounting. They can have AI write an email as the employee and send to someone the employee corresponds with asking to change payment information. All is sent in grammatically correct sentences and is much harder to recognize as suspicious.
EXAMPLES of Phishing Emails from the Söze Syndicate: A Real-World BEC Threat Actor
One bad actor is called the Söze Syndicate. It had accelerated its efforts throughout the summer, at one point accounting for 65% of all the attempted BEC attacks Todyl saw. It targeted small businesses and midmarket companies using tactics to avoid detection and bypass MFA and advanced impersonation techniques to compromise accounts. Its strategies ranged from AiTM to SharePoint phishing to installing rogue applications.
Sometimes the email will contain the Microsoft logo say things like:
"You have a document shared with you securely. Click items below to authenticate and decrypt."
Often, extra information like a 'Reference Number' and 'Status' are included to fake the legitimacy of the request.
"Missed Voicemail" Phishing Email
This attack begins when the victim receives an email informing them that they have missed a phone call, along with a request to login to their account to access their voicemail. This missed voicemail phishing email contains an HTML file as an attachment to “listen to the voicemail”. Opening or loading the file redirects them to a fake login page.
"Password Expiry Notice: Hello... Password to your email account expires today at 1200am. To avoid Service interuption, your verification is required accordingly. To keep default Password settings, follow or copy and paste this link to browser:"
These emails look like routine IT notices, prompting users to urgently update their passwords—but instead send them straight to a phishing site.
Other Common methods used in MitM attacks include:
2. Public Wi-Fi Eavesdropping
Hackers set up rogue Wi-Fi hotspots or exploit unencrypted networks to intercept user activity.
Risk: Logging into an online bank or work account on public Wi-Fi can expose passwords.
3. DNS Spoofing
Attackers alter a device’s Domain Name System (DNS) settings to redirect users to fake websites that look legitimate.
Risk:You think you’re logging into your bank’s website but end up entering credentials on a hacker-controlled site.
4. Session Hijacking
Attackers steal session cookies—temporary data that keeps users logged into websites—to take over accounts.
Risk:An attacker can gain full control of an online account without needing login credentials.
5. Email Interception & Spoofing
Cybercriminals manipulate email threads, making fraudulent messages appear as if they come from trusted senders.
Risk:Businesses can unknowingly send payments to fraudulent accounts due to altered invoices.
6. HTTPS Stripping
Hackers downgrade encrypted HTTPS connections to unprotected HTTP, exposing data transmissions.
Risk:Users unknowingly enter sensitive information on insecure pages that attackers can read.
Real-World Man in the Middle Attack Examples
Case Study: Voicemail Phishing Leads to MitM Incident at Missouri-Based CPA Firm
What Happened?
A Missouri-based CPA firm faced a man-in-the-middle (MitM) scare when an employee mistakenly clicked on a phishing email disguised as a voicemail notification. This allowed an outside party to briefly access the firm's IT environment.
“Security tools can't stop what employees don’t recognize—ongoing training is your first line of defense against man-in-the-middle attacks.”
How It Was Fixed:
Fortunately, the firm acted quickly—cybersecurity insurance was notified, and a forensic investigation confirmed that no sensitive client or financial data had been accessed. The incident highlights how even brief intrusions via MitM tactics can occur despite best efforts, and reinforces the need for ongoing employee training and advanced security protection.
Case Study: Phishing Email Leads to Email Compromise at Construction Firm
What Happened?
A Missouri-based construction company experienced a man-in-the-middle-style phishing attack after two employees clicked on a malicious email. An external bad actor gained access to the email environment, and used the compromised accounts to send out fake bid opportunity emails to contacts—posing a serious reputational risk.
How It Was Fixed:
The company promptly involved their cybersecurity insurance provider, who coordinated forensic analysis and remediation. The incident underscores how quickly phishing attacks can escalate and the importance of strong email security and employee awareness training.
Case Study: The Public Wi-Fi Trap
What Happened?
A company executive connected to airport Wi-Fi to check emails. Unbeknownst to them, a hacker had created a rogue Wi-Fi network labeled "Free Airport Wi-Fi." The hacker intercepted login credentials for the company’s internal platform.
How It Was Fixed:
The company implemented Multi-Factor Authentication (MFA) to prevent unauthorized access.
Employees were trained to use VPNs when working remotely.
Case Study: Invoice Tampering via Email Spoofing
What Happened?
A small business received an email from a known supplier requesting an invoice payment. However, the attacker intercepted and altered the email, changing the bank details. The company unknowingly wired money to a fraudulent account.
How It Was Fixed:
The company implemented DMARC, DKIM, and SPF email authentication protocols.
A verification process for financial transactions was enforced to confirm bank details over the phone.
What is the most famous man in the middle attack?
One of the most famous man-in-the-middle (MITM) attacks is the 2017 Equifax data breach, where attackers exploited a vulnerability to access the financial data of nearly 150 million people.
Equifax Data Breach (2017):
What happened:
Equifax, a credit reporting agency, suffered a data breach due to a vulnerability in its web application framework.
Impact:
The attack exposed the personal information of nearly 150 million people, including names, Social Security numbers, birthdates, addresses, and driver's license numbers.
MITM element:
The attackers exploited a vulnerability to intercept and steal data from the Equifax website.
Consequences:
The breach led to significant reputational damage for Equifax, as well as legal and financial repercussions.
DigiNotar, a Dutch company that issued digital certificates, was compromised, leading to the creation of fake certificates for major companies like Google, Mozilla, and Skype.
The Lapsus$ hacking group carried out a successful man-in-the-middle attack that targeted over 10,000 Office 365 users by spoofing the Office 365 landing page.
A British couple (the Luptons) lost £340,000 in an email eavesdropping/email hijacking MITM attack.
How to Protect Against Man-in-the-Middle Attacks
Use Multi-Factor Authentication (MFA)
Even if a hacker steals your login credentials, MFA prevents them from accessing your account with your login credentials alone.
However, it’s important to note that MFA by itself is not foolproof—advanced Man-in-the-Middle (MitM) attacks can and will still intercept and exploit MFA codes, making layered security measures essential.
Implement Managed Detection and Response
We need more than just MFA to protect ourselves.
Managed Detection and Response is a next generation response beyond antivirus and firewall protection. It looks at behaviors such as -
It detects and alerts you if suspicious inbox rules have been created on accounts, helping thwart attackers' attempts to siphon information covertly.
It notifies you when someone registers potential typo-squatting domains for the domains you own.
It monitors for authentication events to your user accounts from outside your company's service area or from unusual IPs
Secure Your Office 365 Perimeter with Microsoft Entra and Intune
Microsoft Entra and Intune work together to strengthen the perimeter around your Office 365 environment. With the right licensing and configuration, you can enforce policies that only allow trusted, company-managed devices to connect—dramatically reducing the risk of unauthorized access.
If your Office365 environment is setup to only allow corporate devices to connect, then you greatly reduce the odds of a bad actor gaining access.
For example, even if a bad actor has stolen login credentials through a man-in-the-middle attack, they still won’t be able to gain entry if they’re not using an approved device. This level of device-based conditional access helps block threats before they reach your sensitive data.
Verify HTTPS and Certificates
Before entering sensitive data, check for the padlock icon in your browser and verify SSL certificates.
Use a VPN on Public Networks
A Virtual Private Network (VPN) encrypts your internet traffic, preventing eavesdropping on public Wi-Fi.
Implement Zero-Trust Security
Organizations should verify every request, assuming no device or user is inherently trustworthy.
Other Advanced Security Measures
Other advanced security measures also help protect like:
A Password Manager
Advanced Spam Filtering with next generation artificial intelligence
Advanced MFA protection
Identity protection
Mobile firewall protection
Cyber security education and more
CyberSecurity Insurance is a necessity.
With the escalating frequency and severity of cyber attacks, all businesses, regardless of size or industry, should consider adding cyber insurance coverage to mitigate financial losses stemming from cyber incidents like data breaches, ransomware attacks, and network outages. (Watch:Are You Cyber-Insurable? Webinar)
Work with a Local Managed Service and Security Provider in St. Louis
Partner with a local St. Louis Managed Service and Security Provider like Certified NETS and significantly reduce your risk of falling victim to a Man-in-the-Middle (MitM) attack. MSSPs offer proactive monitoring, advanced threat detection, and rapid incident response to identify and mitigate threats before they cause damage. Certified NETS provides tailored cybersecurity strategies to St. Louis area businesses, including network monitoring, endpoint protection, and secure access management.
Additionally, MSSPs ensure compliance with cybersecurity standards like the NIST framework and offer ongoing employee training to recognize potential attacks. By entrusting your cybersecurity to a dedicated team of experts, you can focus on running your business with confidence, knowing your data and communications are secure.
FAQs About Man-in-the-Middle Attacks
Q: How can I detect if I’m being targeted by a MitM attack? What are the signs of a man in the middle attack?
A: Unexpected SSL warnings, network slowdowns, or duplicate login requests can indicate MitM activity.
Q: Are MitM attacks common in business environments?
A: Yes. Cybercriminals frequently target businesses, especially through email spoofing and invoice fraud.
Q: Can VPNs prevent all MitM attacks?
A: VPNs encrypt traffic, making it harder for attackers to eavesdrop, but they don’t protect against phishing or email-based attacks.
Q: What should I do if I suspect a MitM attack?
A: Disconnect from the network, change affected passwords, enable MFA, and report the incident to your IT team.
Q: What is the new name for mitm attack?
A: While "Man-in-the-middle" (MitM) attack is still the commonly used term, some cybersecurity professionals are now suggesting the term "on-path attack" as a more neutral and inclusive alternative.
Q: What is the difference between aitm and mitm?
While both Adversary-in-the-Middle (AITM) and Man-in-the-Middle (MITM) attacks involve an attacker inserting themselves into a communication channel, AITM is a more sophisticated and targeted variant of MITM, specifically designed to bypass authentication measures like Multi-Factor Authentication (MFA) and steal credentials/session cookies.
Secure Your Communications Now
MitM attacks are one of the most dangerous yet preventable cybersecurity threats. By understanding how hackers intercept data and taking proactive security measures—such as using MFA, VPNs, and encryption—you can significantly reduce your risk.
For businesses, a zero-trust security strategy combined with robust email and network protections can prevent costly breaches.
Strengthen your defenses with a tailored security strategy from Certified NETS.
Robyn Howes is the President and visionary leader of Certified NETS, where she combines decades of experience in IT strategy, cybersecurity, and operations with a passion for building lasting client relationships. Named to CRN’s Women of the Channel Power Solution Provider list multiple times, Robyn leads with both innovation and integrity—bringing strategic focus and real-world expertise to every engagement. Read Robyn’s full bio »
