Wiz
All articlesDetection and Response

What is a Man-in-the-Middle (MiTM) Attack?

Wiz Experts Team
Start interactive tourWatch 5-min demo
Man-in-the-middle attack main takeaways:

  • MITM attacks intercept communications to steal data or manipulate transactions. Attackers position themselves between two parties to capture or alter traffic without detection. In cloud environments, this extends beyond traditional network interception to include API communications, internal service traffic, and identity credential theft.

  • Cloud environments introduce new MITM attack surfaces. Internal east-west traffic between microservices, Kubernetes pod communications, and API gateway traffic create interception opportunities that traditional perimeter defenses miss. Weak TLS configurations, permissive network policies, and exposed services expand the attack surface significantly.

  • Detection requires correlating network anomalies with identity and data context. A suspicious connection alone lacks actionable context. Real detection means understanding whether that traffic path could access sensitive data or privileged credentials, plus what the blast radius would be if interception succeeded.

  • Prevention depends on posture, not just encryption. TLS helps, but misconfigured services, overly permissive security groups, and weak certificate validation create the conditions MITM attacks exploit. Continuous posture management identifies these preconditions before attackers do.

What is a man-in-the-middle attack?

A man-in-the-middle attack is a cyberattack where an attacker secretly intercepts and potentially alters communications between two parties who believe they are communicating directly with each other. This means attackers can steal credentials, capture sensitive data, or manipulate transactions without either party knowing the communication has been compromised.

The basic mechanics work like this: an attacker gains a position in the communication path, intercepts traffic flowing between sender and receiver, and can then passively eavesdrop or actively modify data before forwarding it to the intended recipient. Both parties believe they are talking directly to each other, but every message actually passes through the attacker first.

You may also see this attack referred to as an on-path attack, which is increasingly common in industry documentation, or adversary-in-the-middle, which is the terminology used in the MITRE ATT&CK framework (T1557). The core concept remains the same regardless of which name you encounter: someone is sitting in the middle of your communications, seeing or changing what passes through.

Watch 10-min Guided Tour

Take the interactive walkthrough to experience how Wiz prioritizes critical risks and helps remediate with specific examples

How do man-in-the-middle attacks work?

MITM attacks progress through three stages: gaining position in the communication path, accessing or decrypting traffic, and exploiting the intercepted data.

Interception: Gaining position

Attackers must first position themselves where traffic flows through their systems. At the network level, ARP spoofing redirects local traffic by associating the attacker's MAC address with a legitimate IP. DNS hijacking sends users to attacker-controlled servers. Rogue access points mimic legitimate WiFi networks.

At the application level, attackers deploy malicious proxies, use compromised certificates to decrypt traffic, or install browser extensions that intercept requests before they leave the user's machine.

Cloud environments introduce additional vectors: misconfigured security groups allowing unauthorized access between segments, exposed internal services reachable from compromised workloads, and insufficient network segmentation enabling lateral movement to interception points.

Decryption: Accessing encrypted traffic

Attackers rarely break encryption directly. Instead, they target authentication and handshake phases. SSL stripping downgrades HTTPS to HTTP by intercepting requests before encryption is established. Certificate spoofing presents fraudulent certificates while maintaining separate encrypted connections to legitimate servers. Downgrade attacks force connections to use weaker protocols with known vulnerabilities.

The 2011 DigiNotar breach demonstrated how certificate authority compromise enables large-scale MITM. Attackers issued fraudulent certificates for major domains including Google, enabling interception of Gmail traffic.

Data manipulation or theft

Once attackers access traffic, they can harvest credentials, steal session tokens, capture API keys, modify transactions, or exfiltrate data. Successful attacks lead to financial fraud, unauthorized access, data breaches, and supply chain compromise.

Common types of man-in-the-middle attacks

MITM is a category of techniques rather than a single attack. Understanding the variations helps you assess which threats apply to your infrastructure.

  • ARP spoofing: Address Resolution Protocol maps IP addresses to MAC addresses on local networks. Attackers send spoofed ARP messages to associate their MAC address with a legitimate IP (typically the default gateway), causing traffic destined for the internet to route through their machine first. This is primarily a local network attack, relevant for on-premises environments and situations where attackers already have network access.

  • DNS spoofing: DNS translates domain names to IP addresses. Attackers can poison DNS caches or compromise DNS servers to return incorrect addresses, redirecting users to attacker-controlled servers that may look identical to legitimate sites. In cloud environments, DNS misconfigurations can cause microservices to connect to malicious endpoints instead of legitimate internal services.

  • SSL/TLS hijacking: SSL stripping intercepts the initial HTTP request and prevents the upgrade to HTTPS. Certificate spoofing presents fraudulent certificates to establish encrypted sessions with victims while connecting separately to legitimate servers. Downgrade attacks manipulate TLS negotiation to force weaker, vulnerable protocols.

  • WiFi eavesdropping: Rogue access points and evil twin attacks create WiFi networks that mimic legitimate ones. Users connecting to these networks have all traffic routed through attacker-controlled infrastructure, making unencrypted traffic visible and encrypted traffic vulnerable to the techniques above.

  • Session hijacking: Rather than intercepting credentials, session hijacking targets tokens or cookies that prove a user is authenticated. Attackers steal these tokens through network interception or cross-site scripting, then impersonate the legitimate user. In cloud environments, session tokens often grant broad API access.

  • Email hijacking: Attackers gain access to email accounts or intercept traffic, monitor threads, and inject fraudulent messages at critical moments. A common pattern involves watching for payment discussions, then requesting payment to a different account.

  • Man-in-the-browser attacks: Malware, malicious extensions, or compromised browser components intercept data within the browser itself. This occurs after decryption, so network monitoring and TLS provide no protection.

Man-in-the-Middle Attack Examples

DigiNotar Certificate Authority Breach (2011)

Attackers compromised the Dutch certificate authority DigiNotar and issued fraudulent certificates for more than 500 domains, including Google, Mozilla, and Microsoft. Because users’ systems trusted DigiNotar’s root certificate, attackers were able to intercept and decrypt HTTPS traffic without triggering obvious warnings.

The campaign primarily targeted Iranian users and enabled surveillance of Gmail communications. DigiNotar declared bankruptcy shortly after the breach was disclosed. The incident prompted significant changes in how browsers handle certificate authority trust and revocation.

Lenovo Superfish (2015)

Lenovo shipped consumer laptops with preinstalled adware called Superfish. The software inserted its own root certificate into the system trust store and intercepted HTTPS traffic to inject advertisements.

The same private key was reused across all installations. After security researchers extracted and published the key, any attacker could impersonate secure websites to affected users.

Millions of devices remained vulnerable until the software and associated certificate were removed.

BGP Hijacking of Amazon Route 53 (2018)

Attackers used Border Gateway Protocol hijacking to reroute traffic intended for Amazon Route 53 DNS infrastructure. For approximately two hours, users attempting to access MyEtherWallet.com were redirected to a phishing site hosted in Russia.

Users who entered credentials on the fake site lost an estimated $150,000 in cryptocurrency. The incident showed how traffic interception can occur at the internet routing layer when DNS and network paths are manipulated.

How to detect man-in-the-middle attacks

Detection can't rely on raw network telemetry alone. Effective MITM detection connects network anomalies to identity, workload, and data context to determine actual impact.

Network anomaly indicators

Common signals include:

  • Certificate warnings or unexpected certificate changes

  • DNS resolution anomalies, such as domains resolving to unfamiliar IPs

  • Unusual traffic routing paths or unexpected intermediaries

  • Connection latency spikes caused by added interception hops

These signals generate noise on their own. Certificates change for legitimate reasons. DNS responses shift. Routes adjust during maintenance.

The key question is impact: Does the suspicious path involve privileged identities, production workloads, or sensitive data?

An anomaly affecting a public marketing site isn't equivalent to one affecting traffic carrying database credentials or API keys. Detection needs to prioritize based on exposure and business risk—not just abnormal patterns.

Runtime behavior monitoring

Cloud environments need workload-level visibility, not just network flow logs. Runtime monitoring detects when workloads begin acting as interception points.

Indicators include:

  • Processes modifying network interfaces or routing tables

  • Unauthorized socket creation

  • Containers suddenly listening on new ports

  • Host-level traffic redirection

This approach catches internal interception that perimeter monitoring misses—especially when attackers operate from compromised but legitimate workloads.

Correlating network signals with identity and data context

Isolated alerts can't be prioritized without understanding blast radius.

Detection becomes actionable when teams can answer:

  • What credentials could be captured?

  • What sensitive data could be exposed?

  • What systems could those credentials access?

If traffic between a frontend and authentication service gets intercepted, the risk may include session tokens, user credentials, or PII—potentially granting downstream access to production systems.

Effective detection connects anomalies to identity privilege, data sensitivity, and attack paths. That context turns "something suspicious happened" into "this creates a route to impact."

How to prevent man-in-the-middle attacks

MITM prevention requires layered controls across encryption, validation, architecture, and posture management. No single safeguard is sufficient.

Enforce modern TLS configurations

TLS 1.3 should be standard. Deprecate older protocol versions wherever possible. TLS 1.3 removes legacy weaknesses and strengthens forward secrecy.

Additional controls:

  • Certificate pinning for mobile and high-risk applications

  • HTTP Strict Transport Security (HSTS) to prevent downgrade attacks

  • Disabling weak cipher suites and enforcing forward secrecy

Encryption alone isn't enough—configuration matters.

Implement certificate validation and transparency monitoring

Applications need to perform strict certificate validation:

  • Verify certificate chains

  • Check revocation status

  • Confirm domain matching

Organizations should also monitor certificate transparency logs for unauthorized certificates issued for their domains. Unexpected issuance may indicate CA compromise or active attack attempts.

Early detection reduces dwell time.

Secure network architecture and segmentation

Segmentation limits interception opportunities and lateral movement.

  • Restrict unnecessary service-to-service communication

  • Apply least-privilege network policies

  • Prevent development environments from accessing production systems

Zero Trust principles further reduce MITM risk by verifying identity and authorization for every connection—even inside the network.

Continuously eliminate MITM preconditions

Misconfigurations often enable interception, even when encryption exists.

Common weaknesses include:

  • Services accepting both HTTP and HTTPS

  • Overly permissive security groups

  • Internal endpoints exposed externally

Continuous posture management identifies and remediates these conditions before attackers exploit them.

Protect credentials and session tokens

Assume interception is possible and reduce its value.

  • Use short-lived tokens

  • Rotate credentials regularly

  • Bind sessions to client context

  • Invalidate sessions on logout

Also avoid exposing credentials in transit:

  • Don't log sensitive values

  • Don't pass credentials in URLs

  • Don't store secrets in browser-accessible storage

Limiting credential lifetime and exposure reduces blast radius even if traffic gets intercepted.

Wiz's approach to detecting and preventing man-in-the-middle attacks

Wiz connects network exposure, identity permissions, and data sensitivity to show which interception scenarios represent real risk. When the Security Graph identifies a potential interception point, it reveals what sensitive data flows through that path, which identities could be compromised, and the blast radius if interception succeeded.

Agentless scanning identifies misconfigurations that enable MITM attacks, services accepting unencrypted traffic, weak TLS settings, exposed internal endpoints, and overly permissive security groups, across AWS, Azure, GCP, and Kubernetes environments. The Security Graph maps network reachability to show which resources could intercept or be intercepted, transforming abstract vulnerabilities into concrete risk assessments tied to business impact.

Wiz Defend extends protection to runtime by detecting behaviors that enable interception: anomalous network activity, unexpected proxying or traffic redirects, and processes manipulating network interfaces. When suspicious activity occurs, defenders see it with full context about affected identities, data, and resources.

This unified context lets teams prioritize based on actual risk, a network anomaly affecting public content warrants different urgency than one affecting traffic carrying database credentials.

Get a demo to see how Wiz connects exposure paths, identity permissions, and sensitive data to help you prioritize the interception risks that matter most.

Watch 10-min Guided Tour

Take the interactive walkthrough to experience how Wiz prioritizes critical risks and helps remediate with specific examples