What Is a Man in the Middle (MitM) Attack: Types and Defence

A Man in the Middle (MitM) attack intercepts the traffic between two parties without either of them detecting it. The attacker positions in the middle of the communication, reads or modifies the content and forwards it so the session looks normal. The literal translation is "man in the middle" and in some texts it has been replaced by "Adversary in the Middle" (AitM) to better reflect the professional context. It remains one of the first attack categories taught in any network course and, at the same time, one of those most often hiding behind serious incidents when combined with modern techniques like MFA bypass with evilginx-style proxies.

This guide explains what a MitM actually is, the six vectors appearing in the real world (ARP poisoning, DNS spoofing, evil twin Wi-Fi, SSL stripping, session hijacking, BGP hijacking), documented cases and how to defend with HSTS, certificate pinning, phishing-resistant MFA and network segmentation. Oriented to defensive teams, red teams and administrators who want to understand what still gets through today.

What a Man in the Middle attack is

A MitM is an active interception of communication between two legitimate ends. The attacker has to achieve three things:

1. Position themselves on the path, physical or logical, between the two parties.
2. Capture the traffic going through.
3. Keep the communication alive so victims don't detect anomalies.

What it gives the attacker:

• Reading credentials and sensitive data travelling in clear or that the attacker can decrypt.
• Modifying transactions (changing the destination of a bank transfer, altering email content).
• Capturing sessions and reusing them to log in as the legitimate user.
• Payload injection (downgrade to HTTP, malware in responses).
• MFA bypass with modern proxies that forward challenges in real time.

What limits the attacker in 2026:

• TLS 1.2/1.3 widespread and HSTS policies reduce capture in clear.
• Certificate pinning in mobile applications blocks a MitM with a certificate issued by a legitimate CA.
• DNSSEC and DoH/DoT complicate resolution poisoning.
• Modern detection in corporate Wi-Fi and EDR catches many common vectors.

But none of these defences is universal. Where they aren't applied, MitM remains a real vector.

Six real-world MitM vectors

1. ARP Spoofing / ARP Poisoning

The attacker on the same LAN sends fake ARP packets associating their MAC with the gateway's IP. Victim hosts send traffic to the attacker thinking it's the gateway. The attacker forwards traffic to the real gateway so the connection works while capturing everything passing through.

Classic vector against flat corporate Wi-Fi without proper segmentation or old industrial networks. Tools: Ettercap, bettercap, arpspoof.

Defence: VLANs and proper segmentation, ARP inspection on managed switches, port security, EDR with network module.

2. DNS Spoofing

The attacker manipulates DNS resolution so mybank.com returns a controlled IP. It's the basis of pharming: same name, different IP, fake site.

Four variants: local modification of the hosts file by a trojan, home router compromise, upstream DNS server poisoning, redirection at the ISP or registrar level.

Defence: DNSSEC on own zones and validating resolvers, DoH/DoT on clients, monitoring of DNS changes, certificate pinning to detect the difference.

3. Evil Twin Wi-Fi

The attacker stands up a Wi-Fi access point with an SSID identical to the legitimate one (STARBUCKS_FREE, AIRPORT_GUEST) and stronger signal. Victim devices connect automatically and all traffic goes through the controlled access point.

Combined with scripts like WiFi Pumpkin or airbase-ng, it can serve fake captive portals and steal credentials for email, social networks or corporate VPN.

Dominant vector at airports, events, coworking spaces and shopping areas. The main enterprise defence is always-on VPN that avoids trusting any intermediate network, certificate pinning in corporate apps and training for employees with traveller profile.

4. SSL Stripping

Technique documented by Moxie Marlinspike (2009). The attacker intercepts initial HTTP requests the browser makes before redirecting to HTTPS. When the server responds with 301 Moved Permanently to https://, the attacker rewrites the response so the victim stays on HTTP. Captures everything in clear.

Main mitigation: HSTS (HTTP Strict Transport Security) with preload, which tells the browser "this domain is only accessed over HTTPS, now and forever". If the domain is on the modern browsers' preload list, not even the first connection goes over HTTP.

Modern caveat: many sites still don't include HSTS preload. SSL stripping remains viable against them.

5. Session Hijacking

The attacker captures the user's session cookie (typically via network MitM, XSS or theft from the device) and presents it to the server as their own. If the cookie is valid, they access as the user without needing credentials.

Modern cases: MFA bypass with phishing kits like evilginx2, modlishka or EvilProxy. The attacker stands up a proxy serving a replica of the legitimate site. The victim enters credentials and the MFA code in the proxy; it forwards them to the real site, captures the issued session cookie and keeps it. The victim notices a strange login late or never.

Main defence: phishing-resistant MFA (FIDO2/WebAuthn) that binds the signature to the real URL and blocks proxies; cookies with Secure, HttpOnly, SameSite=Strict flags; token rotation; short lifetime.

More detail of the token family in the JWT security guide.

6. BGP Hijacking

At the Internet level, an attacking AS announces IP prefixes that don't belong to it. Transit BGP routers accept the announcement and start sending traffic to the attacking AS. MitM variant when, in addition to diverting traffic, it forwards it to the original destination to keep the session alive.

Documented cases: hijack of Visa prefixes, Cloudflare, several DNS root routes. Vector barely applicable to mid-sized enterprises (Internet scale), but relevant to carriers and companies with own connectivity.

Defence: RPKI with signed ROAs, monitoring of BGP announcements of the own prefix (services like BGPmon, MANRS).

Documented real cases

Operation Aurora (2009-2010, attributed to Chinese actors against Google and other companies). Combined MitM on compromised infrastructure with browser vulnerability exploitation to infiltrate corporate networks.

Lenovo Superfish (2014-2015). Adware preinstalled on Lenovo laptops installed its own root certificate and allowed transparent TLS MitM to inject advertising. Whether by accident or not, it opened a massive MitM hole on machines sold for months. Lenovo issued removal tools after public pressure.

Hacking Team / FinFisher (2015). Leaks from the Italian spyware vendor showed MitM capabilities against mobile apps via certificates issued by CAs compromised to state actors.

EvilProxy and AitM phishing attacks (2022-2026). SaaS platforms offering modern MitM as a service. They've raised the defensive cost: classic TOTP and SMS MFA no longer protect against these kits. Adoption of FIDO2/WebAuthn on privileged accounts moves from "good practice" to "essential".

Volt Typhoon attack (2023, attributed to Chinese actors). Compromised SOHO routers in the United States and used them as intermediate infrastructure in operations against critical infrastructure. Routers served as MitM and persistent redirection points.

How it gets detected

Seven fronts covered by a modern defensive team.

Corporate network monitoring. NDR (Network Detection and Response) with detection of anomalous ARP patterns, gateway change spikes, traffic toward unexpected IPs. SIEM with public Sigma rules for evil twin and ARP poisoning.

Centralised DNS telemetry. Detection of resolutions to unexpected IPs for corporate domains, homograph domains. Detail in what is a SIEM.

Certificate Transparency monitoring. Services that alert when a certificate appears for a corporate domain issued by an unexpected CA. Hint of a MitM with valid certificate in preparation.

EDR with network module. Detects gateway changes, new root certificates, anomalous DNS configurations on endpoints. Detail in what is an EDR.

AitM proxy detection. Platforms like Microsoft Defender for Cloud Apps, Okta ThreatInsight identify logins from known evilginx infrastructure.

Geolocation and device fingerprint anomalies. Logins coming from the ASN of an AitM proxy even though credentials are correct: signal of recent session hijack.

Physical inspection. In sensitive environments, periodic review of corporate Wi-Fi, scanning of duplicate SSIDs, removal of poorly segmented guest networks.

How to protect

The measures that actually close the door, ordered by impact.

• Phishing-resistant MFA (FIDO2/WebAuthn). Blocks evilginx-style AitM kits because the signature binds to the real URL. The most important modern defence. SMS and TOTP are no longer enough for privileged accounts.
• HSTS with preload on every corporate domain. Closes SSL stripping almost completely.
• Certificate pinning in mobile applications. Blocks MitM with certificates legitimately issued from compromised CAs.
• Always-on VPN on corporate endpoints. Reduces the risk of evil twin and hostile intermediate networks.
• Network segmentation and separate guest-corporate Wi-Fi with 802.1X authentication. Reduces ARP poisoning.
• DNSSEC + DoH/DoT for client-validated resolution.
• Cookies with appropriate flags: Secure, HttpOnly, SameSite=Strict by default.
• Short-lived tokens and sessions. Rotation, refresh tokens, invalidation after suspicious events.
• SOHO router policy: updated firmware, unique credentials, no exposed remote administration.
• Monitoring of the own domain in Certificate Transparency, registrars and BGP.
• Awareness. Employees with traveller profile trained on evil twin, AitM phishing and recognising the browser lock.

No measure closes the problem alone. Defence is layered and, in 2026, FIDO2 + HSTS + certificate pinning solve the bulk of realistic scenarios.

MitM in Red Team pentesting

In a professional Red Team exercise, MitM typically appears in these phases:

• Corporate Wi-Fi reconnaissance at physically accessible offices: poorly segmented guest SSIDs, legacy networks with known WPA2-PSK.
• LAN positioning after initial access via phishing or vulnerability: ARP poisoning to capture internal traffic, NTLM relay (classic MitM technique) against misconfigured services.
• AitM phishing against M365 or Workspace corporate portals, collecting session cookies later reused for persistent access.
• Defence validation. The operator tests whether the organisation detects AitM proxies, evil twin or ARP poisoning as part of the deliverable.

Methodology detail in the Red Team business guide and in infrastructure pentesting.

Compliance fit

Poorly mitigated MitM is defensible non-compliance in audits under current frameworks:

• NIS2 (article 21). Risk management measures, including network and communications security. Without HSTS, certificate pinning and strong MFA the non-compliance is defensible.
• DORA (article 9). ICT resilience in financial services. Financial entities are preferred targets for AitM phishing against clients and employees.
• ISO 27001:2022 (controls 8.20 secure networks, 8.21 network services, 8.5 secure authentication). Auditable documentation and configuration.
• ENS Royal Decree 311/2022. Measures op.exp.10 (information in transit) and op.acc (access control).
• PCI DSS v4.0 (req. 4 encrypted transmission, req. 8 strong authentication).
• GDPR. A successful interception with personal data exfiltration is a notifiable breach.

Frequently asked questions

Is using public Wi-Fi with HTTPS safe?

Reasonably yes for sites with HSTS preload and properly browser-validated certificates. There's still risk on sites without HSTS, on apps that don't validate certificates correctly and on evil twin scenarios combined with captive portal. For corporate or critical profile, always-on VPN is the answer.

Does a VPN avoid every MitM attack?

Not all of them. It avoids ARP poisoning, evil twin and SSL strip inside the local network because traffic goes encrypted inside the tunnel up to the VPN endpoint. It doesn't avoid attacks after the VPN endpoint nor AitM proxies against web portals (the VPN doesn't protect against phishing).

How do I detect I'm under MitM in my browser?

Quick clues: browser warning about certificate, missing lock, domain with strange characters, unexpected redirection to HTTP. Advanced clues: certificate transparency mismatches, HSTS not respected. For technical users, Wireshark on the own connection shows anomalies. For corporate users, the EDR should alert.

Does SMS MFA protect against MitM?

Only partially and in old scenarios. Against modern kits (evilginx, EvilProxy, Modlishka) SMS and TOTP MFA fall just like the password, because the proxy forwards the code to the real site and captures the issued session cookie. The real defence is FIDO2/WebAuthn or physical keys like YubiKey.

What's the relationship between MitM and pharming?

Pharming is a MitM variant focused on name resolution: instead of intercepting traffic in transit, it manipulates which IP the victim connects to. Once the victim reaches the fake site, what follows is classic credential capture. The two terms overlap; in a modern enterprise they're treated as the same problem with different vectors.

Is MitM still viable in 2026?

Yes, especially with AitM kits against portals with weak MFA, evil twin on Wi-Fi networks, ARP poisoning on poorly segmented corporate LANs and manipulation at the SOHO router level. What has changed is the sophistication of commercial kits: AitM-as-a-service has lowered the technical barrier and increases frequency.

Should a Red Team include MitM in scope?

Yes, especially AitM phishing and evil twin validation. If the organisation only trusts TOTP/SMS MFA, a controlled MitM reveals the real risk before a production attack. Operational details in the TIBER-EU and TLPT guide.

Related resources

• JWT and token security: session format modern MitM seeks to capture via AitM proxies.
• Web application pentesting: context where defences against SSL strip and session hijacking get audited.
• Red Team business guide: test type that validates resilience against combined MitM + phishing campaigns.
• What is social engineering: pillar covering AitM phishing within the broader discipline.

MitM auditing at Secra

At Secra we assess MitM exposure on three usual fronts: review of HSTS configuration, certificate pinning and cookie policies in the client's web and mobile applications; corporate Wi-Fi audit (segmentation, authentication, evil twin detection); controlled AitM phishing exercises against SSO portals to validate whether the client's MFA and SOC detect the pattern. If your organisation operates open corporate Wi-Fi, still depends on SMS or TOTP MFA on privileged accounts or has never audited the TLS stack of its critical applications, get in touch via contact or check our web and mobile audit service.