So, what is a man-in-the-middle attack? Also known as an adversary-in-the-middle attack (AiTM), it’s when cybercriminals position themselves between you and your intended destination to intercept sensitive data. A man-in-the-middle cyber attack mixes social engineering deception with real-time technical interception, making it far more dangerous than traditional phishing.

To defend against these threats, you first need to understand how man-in-the-middle attacks work in practice.

Step 1: The setup

The attacker creates a phishing message disguised as a legitimate service—a password reset from Microsoft 365, a DocuSign request, or perhaps a fake urgent security message from your own IT department, but the link doesn't go to the real website.

Step 2: The proxy page

When you click the link, it goes to a page that looks identical to the real login page. This is a proxy page controlled by the attacker. It’s the “middle” in man-in-the-middle.

Step 3: The credential interception

You enter your username and password. The proxy page sends those credentials directly to the legitimate service. The real service sends back an authentication token or prompts you to enter your MFA code.

Step 4: The MFA bypass

If the system prompts you for MFA, that prompt will come from the attacker’s proxy page. So you enter your MFA code, thinking it’s just routine authentication. The attacker’s server captures the MFA code and forwards it to the legitimate service.

Step 5: Session hijacking

You're authenticated. The proxy sends you the session cookie, completing your login. You log in successfully, and everything appears normal. But the attacker has also captured that session cookie, which means they can now access your account directly, without needing your password or MFA.

The entire attack happens in seconds, and from your perspective, it looks like a normal login. That's what makes MITM attacks so dangerous.

Sadly, there are too many man-in-the-middle attack examples to count. Here are just a few.

In 2024 and 2025, state-affiliated actor Salt Typhoon launched MITM attacks against four US telecom giants: AT&T, Verizon, Lumen, and T-Mobile. Attackers used the compromised infrastructure to tap into calls and track location data. The attack targeted business and government communications, one of the largest telecom espionage campaigns ever seen in the U.S. 

Another 2024 example involved Tesla. Researchers found a phishing-based MITM attack where Tesla users were tricked into adding a malicious “phone key” which then remotely unlocked and started cars. Attackers intercepted the victim's credentials via the Tesla app (v4.30.6 / software 11.1 2024.2.7).

How come traditional security can’t detect these attacks?

• Email filters don't catch them: These emails look legit and often use legit domains, plus they don’t have malicious attachments. Email security gateways scan for malware and suspicious URLs, but may allow these through. Technically, they're just website links.

• MFA has limits: We've been hearing for years that MFA is the best thing since sliced bread. It is, but an adversary-in-the-middle attack specifically targets that authentication request, capturing authentication codes as they’re entered.

• Users can't spot the fakes: The proxy pages look exactly like a real login page. Security-savvy or not, users may have difficulty telling the difference, and it's more difficult on a mobile device, where inspecting the URL is trickier.

Knowing how to detect man-in-the-middle attack activity is critical for protecting your organization from credential theft and session hijacking. Here’s how to detect man-in-the-middle attacks before it’s too late: 

Deploy endpoint detection

Deploy Managed Endpoint Detection and Response (EDR) to catch malicious software or scripts that intercept or manipulate authentication flows.

Implement identity threat detection and response (ITDR)

ITDR solutions monitor for suspicious authentication patterns, impossible travel scenarios, and abnormal session activity in man-in-the-middle attacks. When attackers use stolen session cookies, ITDR identifies the abnormal behavior and stops it.

Deploy strong, phishing-resistant MFA

Hardware security keys and passwordless authentication are AiTM resistant because they verify the actual website domain during authentication.

Monitor session activity

Keep an eye on active sessions in your environment. A user's session token shouldn't suddenly make requests from different IP addresses or locations.

Educate users on URL verification

Teach users to verify they’re entering credentials on legit sites by checking the URL for “HTTPS” and verifying the exact domain. When in doubt, navigate directly to sites rather than clicking email links.

Traditional phishing attacks try to steal your credentials and bypass MFA in the process. That's why Huntress built solutions to catch what legacy defenses miss. Huntress ITDR detects anomalous authentication behavior and session hijacking attempts in real-time, and Managed EDR monitors endpoints for manipulation attempts. Together, they don’t just block the initial attack. They detect stolen session tokens and stop attackers before they move through your network.