What is a man-in-the-middle attack?
A man-in-the-middle (MitM) attack occurs when a hacker intercepts data as it transfers between two parties. During the attack, the attacker controls the communication, tricking the legitimate parties into believing their connection is secure and uninterrupted.
While remaining undetected, an attacker can eavesdrop, steal sensitive information (like credit card numbers), redirect communications, conduct advanced persistent threat assaults, and implement denial-of-service attacks.
Types of cloud native attacks include the following:
API interception: Attackers intercept API requests to steal credentials or manipulate network traffic between services.
Container communication hijacking: Attackers exploit unsecured container traffic to eavesdrop or inject malicious commands within apps.
Service-mesh hijack tampering: Attackers re-route service meshes or tamper with encrypted service-to-service traffic.
Example: A threat actor inserts themselves between an online banking customer and their bank app. As the customer logs into the app and attempts to initiate a wire transfer, the MitM eavesdrops on the conversation. The threat actor may collect the user’s login credentials and transfer PIN for later use, or they may modify the communication to redirect the transfer to their bank accounts.
How does a man-in-the-middle attack occur?
MitM attacks typically involve two distinct phases: interception and decryption. Here are some characteristics of both phases:
Phase 1: Interception
In this phase, an attacker inserts themselves between a client and a server to interrupt network traffic and data transfer.
To achieve this, the attacker exploits vulnerabilities in the target networks, such as insecure public Wi-Fi hotspots, unverified website certificates, and exposed encryption/decryption keys. Attackers often scan target networks for insecure connections or web browser vulnerabilities using open-source reconnaissance tools, such as network sniffing software (e.g., Ettercap or Wireshark).
Once they find a vulnerability, the attacker uses interception techniques like phishing, spoofing, and session hijacking to gain unauthorized access to the network path. They then hijack data packets to read or change client requests and server responses.
Phase 2: Decryption
Networks with Secure Sockets Layer (SSL) security certificates have encrypted communication. After intercepting data on these networks, the attacker must decrypt it—without alerting either party—to read or manipulate the information. Common decryption methods include HTTPS spoofing and SSL hijacking.
Attackers may find it easier to decrypt secure communications if SSL is unidirectional or there’s weak cryptography. If the intercepted server-to-client communication is unencrypted (for example, through HTTP, Telnet, or other unsecured protocols), then decryption is unnecessary. After achieving the initial goal of collecting credentials or planting malware for advanced attacks, the attacker exits the communication channel.
MitM techniques
MitM attacks take various forms, making security against these attacks challenging. However, understanding standard techniques helps you establish stronger protection against today’s MitM threats and emerging threats.
Here are some popular attack methods:
Interception methods
Some interception techniques involve direct contact with victims’ devices, while others utilize readily available interception tools. These are some examples of interceptions:
Wi-Fi eavesdropping: Attackers eavesdrop on Wi-Fi networks by attaching packet sniffers to unsecured Wi-Fi hotspots. These insecure Wi-Fi networks can be public or private networks with weak passwords that the attacker cracks using password cracking software (like John the Ripper). Sometimes, a malicious actor may own a Wi-Fi network and disguise it as a free, public network. The moment unsuspecting victims connect to unsecured hotspots, the attacker gains access to all their communications.
Phishing (or email hijacking): In a MitM-focused phishing attack, attackers trick unsuspecting users into opening malicious emails or clicking on malicious links to install spyware on their devices. Once installed, the software acts as a proxy or man-in-the-browser to intercept or modify network traffic to steal login credentials and inject malicious content.
Session hijacking (or cookie hijacking): Session hijacking occurs when attackers scrape or sniff browser cookies containing tokens and saved passwords. They then use these tokens to intercept login sessions or steal login credentials from either party at the end of the communication channel.
Domain name system spoofing (or DNS cache poisoning): Attackers redirect a victim’s network traffic to a malicious device or server, effectively placing themselves “in the middle” of the communication. Once the attackers redirect the traffic, they can monitor, collect, or alter the data during transit between the victim and what they believe is a legitimate site.
ARP spoofing (or ARP poisoning): This type of MitM attack occurs within a local network. Once hackers successfully associate their MAC address with the IP address of a target device (such as a gateway or server), they can intercept, modify, or redirect the traffic between devices without the other device's knowledge.
Decryption methods
Decryption methods are the techniques threat actors use to hijack and read encrypted client-to-server communication. They include the following:
HTTPS spoofing: When a victim attempts to connect to a website securely via HTTPS and a hacker intercepts the connection, sending the victim a hoax certificate that belongs to a malicious version of the target website. The success of the attack relies on the victim’s browser verifying the certificate, believing it’s from a trusted site. Once established, the cyberattacker can decrypt the communication.
SSL hijacking: This occurs when cybercriminals intercept SSL/TLS network traffic during a TCP handshake. An attacker sends fake SSL certificates to both the client and server, allowing them to impersonate the server, force victims to connect to unsecured websites, and control the session.
SSL stripping: In SSL stripping attacks, hackers intercept TLS authentications from servers to clients, allowing them to downgrade HTTPS connections to HTTP. This allows a hacker to direct the victim to an unencrypted version of the target app, ensuring that all server-to-client communication is fully visible.
BEAST (Browser Exploit Against SSL/TLS) attacks: These attacks exploit vulnerabilities in older versions of SSL/TLS. They allow threat actors to infect victims’ computers with malicious JavaScript to decrypt cookies and obtain authentication tokens.
MitM examples
Below are some real-life examples of MitM vulnerabilities to help you visualize how they manifest in cloud environments and assess your potential exposure to similar threats:
AWS EKS Access Entries and Policies vulnerabilities
In early 2024, AWS optimized identity and access management for its managed Kubernetes service. While this update streamlined access to users and roles within EKS clusters and their corresponding storage buckets, the Wiz Research team discovered vulnerabilities related to EKS Access Entries and policies. These flaws could lead to lateral movement and privilege escalation, providing MitM attackers with leverage in an enterprise’s Kubernetes environment.
Regularly audit all EKS access entries and IAM policies using automation to enforce least-privilege policies.
The 2022 Office 365 attack
In 2022, the Lapsus$ group launched a series of attacks targeting Office 365 enterprise users. These attacks often employed MitM techniques, where attackers used relay proxies to intercept authentication sessions and capture credentials, sometimes combined with MFA fatigue attacks. Lapsus$ also conducted social engineering attacks, notably by calling helpdesk employees to reset credentials during live sessions. Additionally, they utilized SIM-swapping to hijack victims' phone numbers for one-time passcodes and even paid users for credentials or to install remote access software for proxy sessions.
Utilize real-time monitoring and alerting to identify unusual authentication approval patterns. Also, adjust helpdesk protocols to enforce second verification for sensitive credentials and MFA revisions.
More sophisticated browser-in-the-middle attacks
In 2025, researchers at the University of Salento outlined how browser-in-the-middle (BitM) attacks, a sophisticated subset of MitM, are becoming even harder to distinguish. In a BitM attack, attackers secretly control your browser’s communication with a website. This typically happens when a victim falls for a phishing scam, uses a fake browser, or uses a compromised app. With attackers hijacking session tokens, even multi-factor authentication (MFA) may not be enough to protect the user.
Through token hardening, advanced SIEM tools, and cloud-native security tools, organizations can protect themselves against BitM when safe or exposed browsers appear indistinguishable.
Best practices for preventing MitM attacks
Preventing MitM attacks requires a multi-layered security approach that focuses on encryption, authentication, network security, and user awareness. Below are some best practices, along with action steps, for defending against MitM attacks:
1. Use strong encryption
Strengthen encryption to protect your sensitive data, and apply advanced protocols to improve your infrastructure. You can enhance encryption by taking the following actions:
Implement HTTPS: Ensure that all web traffic is encrypted with HTTPS instead of HTTP. Using HTTP Strict Transport Security also forces browsers to use secure connections.
Encrypt sensitive data: Add strong encryption for data at rest and in transit. This includes leveraging secure protocols like TLS for web and email, Secure Shell (SSH) instead of Telnet for remote access, and virtual private networks (VPNs) for secure remote access.
2. Secure network infrastructure
Implementing security measures for your network protects against bad actors throughout your traffic. Strengthen your infrastructure in the following ways:
Secure Wi-Fi networks: Use WPA3 encryption for Wi-Fi networks and strong passphrases.
Use VPNs: Employ VPNs for secure access to corporate networks, especially for remote work, to encrypt data over potentially insecure networks, like public Wi-Fi.
3. Implement authentication and access control
Establish stricter zero trust policies to protect against attacks. You can improve your identity security with these steps:
Add stronger authentication: Implement MFA for sensitive systems and data to add a layer of security beyond passwords.
Include digital certificates: Use digital certificates for servers and clients to authenticate devices and users and ensure secure and legitimate communication.
Update passwords: Encourage or enforce regular password changes and the use of strong, unique passwords.
4. Enhance API security
Third-party connections can present the greatest vulnerabilities. You can prevent interceptions by strengthening API security through the following methods:
Mitigate API gateway vulnerabilities: Enforce TLS with all incoming and outgoing connections and validate your client certificates to stop unauthorized interceptions.
Prevent JWT token hijacking: Leverage short-lived JWT tokens, implement token revocation, and securely store tokens to prevent interception within cloud environments.
5. Improve certificate management
Strengthen trust and minimize the risk of spoofing by automating and securing your certificates. Improve certificate handling in the following ways:
Pin certificates in containerized apps: Pin certificates in the application to ensure it only trusts key server certificates, which reduces the risk of forged certificates. While this is effective for mobile and client apps, pinning can be more complex for large cloud environments.
Address PKI challenges in ephemeral cloud workloads: Automate certificate provisioning and renewal for your short-lived cloud assets, enabling you to maintain trust without manual intervention.
Automate certification rotation and validation: Leverage tools to rotate your certifications and validate them to prevent an expired window when attackers can infiltrate your resources.
6. Establish network monitoring and protection
Implement proactive, consistent monitoring to find vulnerabilities and events before they become bigger (and more expensive) challenges. Establish stronger security by taking these steps:
Monitor network traffic: Use intrusion detection systems and intrusion prevention systems to monitor for unusual network traffic patterns or unauthorized access attempts.
Leverage secure DNS: Implement DNS Security Extensions to protect against DNS spoofing by ensuring the authenticity of DNS responses.
Include ARP spoofing protection: Employ security features like Dynamic ARP Inspection on switches to prevent ARP spoofing attacks within local networks.
7. Conduct user education and awareness
Build your first line of defense between attackers and your organization: your people. Train your team on the following best practices to fortify your defenses:
Phishing awareness: Educate your team on the risks of phishing attacks—often precursors to MitM attacks—by teaching them to recognize suspicious emails and links.
Communicating safe browsing practices: Encourage the use of secure and reputable websites, especially when entering sensitive information. Employees should look for HTTPS and valid certificates.
8. Fortify your software and system security
Enhance your overall security by minimizing attack surfaces and maintaining up-to-date systems to enforce policies effectively. You can protect your environment in the following ways:
Keep systems current: Regularly update all software, including operating systems, applications, and firmware on devices, to patch vulnerabilities.
Adopt firewalls and antivirus programs: Use firewalls to control incoming and outgoing network traffic. Also, utilize antivirus software to protect against MitM attack malware (note: firewalls and antivirus alone can’t entirely prevent MitM).
Advanced cloud native MitM defense strategies
Cloud native environments can’t rely on legacy security systems, even if they offer new features that cater to the cloud. Instead, your organization should rely on cloud-first solutions that tackle unique challenges in your serverless and hybrid environments. These security operations, with tools like Wiz Defend, help you defend against sophisticated MitM attacks, especially as they continue to evolve.
Here are some strategies you can use:
Real-time detection with runtime sensors
Runtime sensors continuously monitor your resources to identify threats or anomalies as they happen. By using real-time detection, you can respond quickly to suspicious activity.
Wiz’s runtime sensor, for example, can block attacks and provide in-depth context for the event, as well as your entire security health. Using its prioritization and context, you can fix issues, like an unencrypted API endpoint, before they become susceptible to a bad actor.
🛠️ Action step: Adopt a real-time cloud security platform with runtime sensors that can find vulnerabilities in your cloud environment.
Zero trust architecture for MitM mitigation
By adopting zero trust principles and systems to protect access, you can prevent avoidable MitM breaches. The following steps can also help you strengthen your zero trust protocols:
Least privilege: With least privilege access, team members can access or perform only the minimum level of resources or actions required for their role.
MFA: This feature requires users to verify their identity through multiple steps, like a one-time code, a passkey, or biometric scans.
Context-aware authentication: Stakeholders can only access certain resources from specific locations, admin-approved IP addresses, and devices with this level of authentication.
Communication: Security teams should leverage encryption, secure protocols, email encryption, and public key infrastructure to protect data.
Training: Employees should receive consistent, up-to-date education on how to navigate and protect themselves against MitM attacks and evolving cyber threats.
🛠️ Action step: Combine a DevSecOps culture with a cloud-native platform that can implement zero trust architecture through shift-left policies.
Attack vector mapping and threat visualization
Attack vector mapping is a proactive way to defend against MitM attacks by identifying and visualizing pathways an attacker could use. Visualization involves cataloging your cloud assets, permissions, network flows, and identities. By running it against frameworks like MITRE ATT&CK, you can classify tactics and protocols relevant to MitM threats.
Using these classifications and documentation for your assets, you can create a graph that shows critical relationships between your resources and how an attacker could exploit them. Thankfully, cloud native security platforms can create these visualizations for you.
🛠️ Action step: Categorize and classify your resources, then create a visual map of their relationships using a cloud security platform.
Cloud native MitM defense with Wiz
MitM attacks can have devastating consequences for individuals and organizations. But you don’t have to fall victim to these attacks. You can protect your customers and organization with a full-stack, cloud native security solution like Wiz.
Our platform provides complete visibility into your cloud infrastructure, so you can spot the signals that often precede or indicate a MitM attack: unexpected network exposure, anomalous traffic patterns, and other suspicious activity. Wiz connects the dots across layers, from identity to network to workload, helping you quickly understand what’s happening and why it matters.
We also map risk in context. By correlating misconfigurations, exposed secrets, and active threats, Wiz surfaces attack paths that could enable MitM or similar interception techniques. It’s part of our broader approach to building a secure-by-design cloud — one where zero trust principles and DevSecOps practices are embedded from the start.
To learn more about securing your cloud environment, download our Advanced Cloud Security Best Practices [Cheat Sheet] today. To start protecting your infrastructure now, schedule a demo to see how Wiz can protect your enterprise and users from MitM attacks.
A single platform for everything cloud security
Learn why CISOs at the fastest growing companies choose Wiz to help secure their cloud environments.
