TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Attacks

What Is a Man-in-the-Middle (MITM) Attack? How It Works & Defense

In a man-in-the-middle attack, an attacker secretly sits between you and the service you're talking to — reading, and sometimes altering, everything that passes. Here's how MITM works and how to stop it.

By TI News Feed Editorial Team8 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

A man-in-the-middle (MITM) attack is a cyberattack in which an attacker secretly positions themselves between two communicating parties — for example, between your browser and a website — to intercept, eavesdrop on, or alter the data passing between them. Neither party realizes a third party is in the middle; they believe they're communicating directly and securely. Because the attacker can read and even modify the traffic, MITM attacks are a powerful way to steal credentials, hijack sessions, and tamper with transactions.

In short: a man-in-the-middle attack is digital eavesdropping with the power to edit. The attacker becomes a silent relay, and as far as you can tell, nothing is wrong.

How a man-in-the-middle attack works

Most MITM attacks involve two phases:

  1. Interception. The attacker inserts themselves into the communication path so that traffic flows through them instead of directly between the two parties. This might mean controlling a network device, spoofing a trusted system, or luring a victim onto a malicious network.
  2. Decryption / manipulation. If the traffic is encrypted, the attacker must defeat or strip that encryption to read it. Once they can see the data, they can harvest credentials, steal session cookies, inject malicious content, or quietly alter the messages — for example, changing the bank account number in a payment instruction.

The whole attack depends on the victim trusting a connection that has secretly been compromised, which is why MITM is so closely tied to weaknesses in network trust and encryption.

Common types of MITM attacks

  • Wi-Fi eavesdropping / evil twin: the attacker sets up a rogue Wi-Fi hotspot with a legitimate-sounding name (e.g. "Airport Free WiFi"). Anyone who connects routes all their traffic through the attacker.
  • ARP spoofing: on a local network, the attacker tricks devices into sending traffic to them instead of the real gateway by forging ARP messages.
  • DNS spoofing: corrupting DNS responses so a legitimate domain resolves to a malicious server the attacker controls.
  • HTTPS spoofing / SSL stripping: downgrading a secure HTTPS connection to unencrypted HTTP, or presenting a fraudulent certificate, so the attacker can read "secure" traffic.
  • Session hijacking: stealing the session cookie that keeps you logged in, letting the attacker take over your authenticated session — closely related to infostealer malware.
  • Email hijacking: intercepting email between parties, often to manipulate financial transactions in business email compromise schemes.

What attackers gain from MITM

  • Credential theft — capturing usernames and passwords as they're entered.
  • Session and account takeover — stealing tokens to impersonate the victim.
  • Financial fraud — altering payment details or transactions in transit.
  • Data theft — reading confidential communications, contributing to a data breach.
  • Malware injection — inserting malicious code into otherwise legitimate web traffic.

Signs and risk factors

MITM attacks are designed to be invisible, but warning signs include unexpected certificate warnings, websites suddenly loading over HTTP instead of HTTPS, repeated unexpected disconnections, and unusually slow connections on public networks. The single biggest risk factor is using untrusted networks — public Wi-Fi in cafés, airports, and hotels is the classic hunting ground.

How to prevent man-in-the-middle attacks

  • Insist on strong encryption. Use HTTPS everywhere; modern websites and apps should use TLS, which makes interception far harder. Look for valid certificates and heed browser warnings.
  • Enable HSTS on your services. HTTP Strict Transport Security prevents SSL-stripping downgrade attacks by forcing encrypted connections.
  • Avoid sensitive activity on public Wi-Fi, or use a reputable VPN to encrypt all your traffic end to end on untrusted networks.
  • Use phishing-resistant MFA. Hardware keys and passkeys resist credential theft and many session-hijacking techniques, limiting the value of intercepted logins.
  • Validate certificates and use certificate pinning in applications to reject fraudulent certificates.
  • Secure your local network. Network segmentation, monitoring, and protections against ARP and DNS spoofing reduce on-network MITM risk.
  • Keep software patched as part of strong vulnerability management, since some MITM techniques exploit flaws in network stacks and TLS implementations.

Where MITM fits in an attack

A man-in-the-middle attack is rarely the whole story — it's usually a means to an end. Mapped to the cyber kill chain, MITM most often serves delivery (injecting malware), exploitation, and the theft of credentials that enable later stages like lateral movement. Understanding it as one technique among many in an attacker's TTPs helps defenders see where intercepted credentials might lead next.

A real-world MITM scenario

To see how the pieces fit together, picture a traveler working from an airport. An attacker sets up an "evil twin" hotspot named to look like the airport's official Wi-Fi. The traveler connects, and now all their traffic flows through the attacker's laptop. When the traveler visits a website, the attacker performs SSL stripping, quietly downgrading the connection so the login page loads over unencrypted HTTP. The victim types their email password as usual — and the attacker captures it in plaintext. Worse, the attacker also lifts the session cookie, letting them step into the victim's already-authenticated account without even needing the password again. Nothing on the victim's screen looked obviously wrong; the only subtle clue was the missing padlock. This single scenario illustrates why the core defenses — verifying HTTPS, distrusting public Wi-Fi, using a VPN, and enabling phishing-resistant MFA — map directly to the steps of the attack.

Where threat intelligence fits

Threat intelligence tracks the tools, rogue infrastructure, and techniques used to carry out interception attacks, as well as the credential dumps and session tokens that surface afterward. Knowing which networks, certificates, or campaigns are associated with active MITM activity helps defenders detect interception and respond before stolen data is used.

The bottom line

A man-in-the-middle attack secretly inserts an attacker between two parties to eavesdrop on or alter their communication, enabling credential theft, session hijacking, and financial fraud. Its many forms — evil-twin Wi-Fi, ARP and DNS spoofing, SSL stripping, session and email hijacking — all exploit weak network trust or encryption. Strong encryption (HTTPS/TLS, HSTS), caution on public Wi-Fi, VPNs, phishing-resistant MFA, and certificate validation are the core defenses. To track interception techniques and exposed-credential reporting, follow our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is a man-in-the-middle attack?

A man-in-the-middle (MITM) attack is one where an attacker secretly positions themselves between two communicating parties to intercept, eavesdrop on, or alter the data passing between them. Both parties believe they are communicating directly and securely, unaware of the attacker in the middle.

What are common types of MITM attacks?

Common types include evil-twin Wi-Fi hotspots, ARP spoofing, DNS spoofing, HTTPS spoofing and SSL stripping, session hijacking (stealing session cookies), and email hijacking used in business email compromise. All exploit weak network trust or encryption.

How do you prevent man-in-the-middle attacks?

Use strong encryption (HTTPS/TLS) and enable HSTS, avoid sensitive activity on public Wi-Fi or use a reputable VPN, use phishing-resistant MFA, validate certificates and use certificate pinning in apps, secure your local network against ARP/DNS spoofing, and keep software patched.

Is public Wi-Fi safe from MITM attacks?

Public Wi-Fi is the classic environment for man-in-the-middle attacks, including evil-twin hotspots. Avoid logging into sensitive accounts on public networks, and if you must use them, route your traffic through a reputable VPN so it is encrypted end to end.

How does HTTPS protect against MITM attacks?

HTTPS uses TLS encryption so that intercepted traffic is unreadable, and certificate validation helps confirm you're connected to the genuine server. Attackers must defeat or strip that encryption to succeed, which is why SSL stripping and fake certificates are common MITM techniques — and why HSTS and certificate checks matter.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

AttacksWhat Is Credential Stuffing? How the Attack Works & How to Stop ItAttacksWhat Is Infostealer Malware? How Info-Stealers Work & SpreadAttacksWhat Is a Data Breach? Causes, Impact and PreventionFrameworksThe Cyber Kill Chain: All 7 Stages Explained