Man in the Middle Attack

Learn how man-in-the-middle attacks work, key techniques, and best practices to detect and prevent MITM threats.

What is a man in the middle attack?

A man in the middle attack is when an attacker secretly positions themselves between two parties to intercept or alter their communication.

A MITM attack is also called on-path, adversary-in-the-middle, or person-in-the-middle. This type of attack can show up anywhere two endpoints exchange information. For example, from a user and a web application to two microservices inside a VPC.

Classic targets include login credentials, session cookies, tokens, and other sensitive data moving across network traffic. The attacker’s core advantage is invisibility. If neither side realizes a third party is relaying the conversation, the attacker can quietly read, modify, or drop messages.

How does a man in the middle attack work in practice?

Most MITM attacks follow two phases: interception which inserts the attacker into the path, followed by decryption or manipulation to turn raw access into usable data.

Interception places the attacker on the communication path. On local networks, this often comes from ARP spoofing that tricks devices into sending traffic to the attacker’s MAC address instead of the real gateway. In the browser, it can be a proxy that sits between the user and a site’s TLS session. In wireless spaces, it can be a rogue access point with a matching SSID that lures devices to connect.

Decryption or manipulation turns passive interception into theft or fraud. Attackers may downgrade or strip TLS, harvest session tokens, or inject malicious JavaScript. Even if encryption remains intact, a MITM can block MFA prompts, replay requests, or force sign-ins across a fake portal to capture login credentials.

What are the stages of a man in the middle attack?

A typical MITM unfolds as discovery, interception, and exploitation, each with one clear goal.

Discovery. Scan the target environment to find routes, devices, and protocols that allow on-path positioning.
Interception. Divert traffic toward attacker-controlled hardware or software using techniques like ARP spoofing, DNS spoofing, or a rogue Wi-Fi base station.
Exploitation. Eavesdrop, modify, or inject traffic to steal sensitive data, hijack sessions, or trigger fraudulent actions. On the web, this often means TLS downgrade or token theft.

Which techniques are used in a man in the middle attack?

Attackers mix network, web, and wireless tricks to sit in the path and control the flow.

ARP spoofing. Broadcast forged ARP replies so victims map the attacker’s MAC to the gateway IP address, funneling network traffic through the attacker. Common on shared LANs and public Wi-Fi.
DNS spoofing or poisoning. Tamper with DNS answers so a victim resolves a trusted domain to the attacker’s server, often hosting a look-alike web application.
SSL stripping or TLS downgrade. Coerce a browser to use HTTP or older TLS so the attacker can read and alter traffic. The approach was popularized in a 2009 Black Hat talk by Moxie Marlinspike.
Evil twin Wi-Fi. Create a malicious access point using a legitimate SSID to attract clients, then intercept traffic or force captive-portal logins. Real-world assessments have shown credential capture through evil twins.
Man-in-the-browser (MitB). Use malware in the browser to hook APIs and alter page content or transactions locally, often for fraud against online banking.
Session hijacking. Steal or predict session tokens to impersonate users without re-authenticating, sometimes aided by MITM collection of cookies over weak transport.

How common are man in the middle attacks today?

MITM shows up within broader credential-theft and session-takeover trends, including adversary-in-the-middle phishing kits that bypass MFA.

The Verizon 2025 Data Breach Investigations Report analyzed over 22,000 incidents and 12,000 confirmed breaches and highlights credential theft and MFA bypass patterns, which include adversary-in-the-middle techniques.

Organizations continue to face rising breach costs. IBM’s Cost of a Data Breach research reports an average global breach cost around $4.4 million in recent years, with higher figures in the United States.

Bottom line: MITM is not the top vector by volume, but it remains a dependable tool inside credential and session-focused campaigns, especially where TLS, Wi-Fi, or MFA implementations are weak.

What data is typically targeted in a man in the middle attack?

Attackers chase secrets in transit like login credentials, one-time codes, session cookies, and API tokens that unlock valuable accounts and services.

After initial interception, the focus shifts to extracting password fields submitted to a phishing proxy, capturing SSO assertions, or modifying payment and banking fields in a web application session. In MitB (man in the browser), form fields can be altered on the fly before submission, which is why financial services remain frequent targets.

What are some real-life MITM examples?

Evil twin assessments. A U.S. Inspector General audit documented credential capture via evil twin access points, noting the ability to recover and use recovered credentials for internal reconnaissance.
IoT over Wi-Fi. NIST’s National Vulnerability Database includes a case where devices could be forced to connect to an attacker’s stronger, unencrypted SSID, similar to an evil twin setup.
MFA bypass via AitM. Modern phishing kits proxy real logins to harvest tokens, then replay them to cloud services, an approach covered widely in enterprise SaaS security guidance and analysis.

How do I detect a man in the middle attack on my network?

Look for anomalies in certificates, TLS versions, ARP tables, DNS answers, and Wi-Fi beacons, then verify with active probing.

Certificate checks. Mismatched domains, unexpected issuers, or sudden shifts from TLS 1.3 to older versions should trigger alarms. Enterprise certificate management helps curb expired or mis-issued certs that users might accept.
ARP inspection. Monitor for duplicate IP address to MAC mappings or fast-flapping ARP entries that indicate ARP spoofing.
DNS integrity. Compare resolver responses against known-good sources and enable DNSSEC where supported to prevent dns spoofing.
Wi-Fi telemetry. Flag SSID duplicates, unusual RSSI jumps, or rogue APs broadcasting familiar names.
Browser signals. HSTS failures, “Not Secure” warnings, or certificate prompts during normal logins can indicate on-path manipulation.

How can I prevent man in the middle attacks?

Some tactics to prevent MITM attacks include: harden transport, bind authentication to the origin, reduce session reuse, verify name resolution, and monitor for on-path anomalies.

Transport and certificates

Enforce TLS 1.3 with modern cipher suites and OCSP stapling.
Turn on HSTS and consider preload to block SSL stripping.
Automate certificate issuance and renewal, and alert on chain or hostname mismatches.

Authentication and sessions

Use phishing-resistant MFA such as FIDO2 WebAuthn or PIV.
Shorten token lifetimes, rotate after privilege changes, and set Secure and HttpOnly on cookies.

DNS and Wi-Fi

Validate DNS with DNSSEC and prefer DoH or DoT where feasible.
Require WPA3 with Protected Management Frames and avoid open SSIDs.

Network controls

Segment broadcast domains and enable Dynamic ARP Inspection and DHCP Snooping on managed switches.

Monitoring and detection

Alert on TLS downgrades, unexpected issuers, and HSTS gaps.
Watch for duplicate IP to MAC mappings and fast ARP changes.
Monitor for duplicate SSIDs or unfamiliar BSSIDs that suggest evil twins.

User safeguards

Train users to reject certificate warnings, verify URLs, and avoid look-alike SSIDs. Encourage password managers that autofill only on exact domains.

Incident response

Revoke tokens, force reauthentication with MFA, and hunt for token reuse from unusual networks after suspected AitM.

How does Frontegg help reduce exposure to man in the middle attacks?

Frontegg focuses on identity hardening that removes common MITM payoffs like reusable passwords and long-lived tokens.

Phishing-resistant MFA options. Support for modern MFA methods helps reduce the impact of adversary-in-the-middle phishing that targets one-time codes.
Session security controls. Fine-grained token lifetimes, rotation after privilege changes, and enforced Secure and HttpOnly cookie attributes limit session hijacking windows.
Centralized policies across tenants and apps. Consistent TLS and authentication requirements help keep identity front doors aligned with current standards.

Frontegg does not replace transport security. Organizations should combine product-level identity controls with network and browser defenses recommended by NIST, OWASP, and CISA to close MITM gaps end to end.

Other glossary items

Account Takeover (ATO) Read now

reCAPTCHA Read now

Password Spraying Read now

Cookie	Duration	Description
_vis_opt_s	3 months 8 days	Visual Website Optimizer sets this cookie to detect if there are new to or returning to a particular test.
_vis_opt_test_cookie	session	Visual Website Optimizer creates this cookie to determine whether or not cookies are enabled on the user's browser.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	6 months	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.

Cookie	Duration	Description
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_hjSession_*	1 hour	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hp2_ses_props.*	1 hour	Heap sets this cookie to store the timestamp and cookie domain or path.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_vwo_uuid_v2	1 year	This cookie is set by Visual Website Optimiser and calculates unique traffic on a website.
cb_anonymous_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.
cb_group_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
cb_user_id	1 year	Clearbit sets this cookie to collect data on visitors. This information is used to assign visitors into segments, making website advertising more relevant.

Cookie	Duration	Description
__Host-session	14 days	No description available.
__tld__	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_crowdcontrol_session_key	session	Description is currently not available.
_g2_session_id	session	Description is currently not available.
_hp2_hld346349427843107.1065080579	5 minutes	Description is currently not available.
_hp2_hld6722177740337317.1065080579	5 minutes	Description is currently not available.
_hp2_hld8090462093010520.1065080579	5 minutes	Description is currently not available.
cbtest	1 year	Description is currently not available.
debug	never	No description available.
events_distinct_id	session	Description is currently not available.
h1_device_id	1 year	Description is currently not available.
pfjscookies	1 year	Description is currently not available.