What is Man-in-the-Middle Attack? Definition & Explanation
A Man-in-the-Middle (MITM) attack is a cyberattack in which an adversary secretly intercepts and potentially alters communications between two parties who believe they are directly communicating with each other. MITM attacks enable credential theft, session hijacking, and silent data manipulation.
In-Depth Explanation
MITM techniques include ARP spoofing on local networks (poisoning ARP caches to redirect traffic through the attacker), DNS spoofing (returning attacker-controlled IPs), rogue Wi-Fi access points (evil twin attacks in coffee shops/airports), SSL stripping (downgrading HTTPS to HTTP via tools like sslstrip), HTTPS-aware MITM with malicious or compromised certificates (used historically by Superfish on Lenovo laptops, by some corporate proxies, and by nation-state actors with stolen CA certificates), session hijacking via stolen cookies (often through XSS), and BGP hijacking for internet-scale interception. Modern MITM attacks against authentication use Adversary-in-the-Middle (AiTM) phishing kits like Evilginx2 and Modlishka that proxy entire login flows and steal authenticated session cookies — bypassing MFA. Defenses include universal HTTPS (HSTS preload list), Certificate Transparency (CT) monitoring, certificate pinning in mobile apps, DNSSEC, encrypted DNS (DoH/DoT), VPNs on untrusted networks, FIDO2 hardware keys (which include channel binding, defeating AiTM), and HTTP-only/Secure/SameSite cookie flags.
Why It Matters for Security
MITM attacks are the foundational threat that motivated the entire HTTPS-everywhere movement. Modern Adversary-in-the-Middle phishing kits like Evilginx2 are now the dominant credential-theft technique against organizations using SMS/push MFA — they steal authenticated session cookies in real time, defeating most MFA implementations. Phishing-resistant FIDO2 hardware keys are the only widely-deployed authentication factor that fully defeats AiTM.
Related Tools
- Nmap
Industry-standard network scanner for port scanning, service and OS detection.
- Wireshark
Open-source network protocol analyzer for deep packet inspection and forensics.
- Abnormal ICES Platform
Integrated cloud email security replacing legacy SEGs with behavioral AI threat detection.
Frequently Asked Questions
What does Man-in-the-Middle Attack mean in cybersecurity?
A Man-in-the-Middle (MITM) attack in cybersecurity is when an attacker secretly intercepts and potentially alters communications between two parties who believe they are talking directly to each other — enabling credential theft, session hijacking, and silent data manipulation.
Why is Man-in-the-Middle Attack important?
MITM attacks matter because modern Adversary-in-the-Middle phishing kits (Evilginx2, Modlishka) now defeat most MFA implementations by stealing authenticated session cookies in real time. Phishing-resistant FIDO2 hardware keys are the only widely-available authentication factor that fully prevents MITM-based account takeover.