A man-in-the-middle attack (MitM) is the primary type of cyberattack that intercepts communications. The attacker positions themselves between two parties, such as you and a website, and secretly reads, relays, or alters the data traveling between them. Neither side realizes a third party is listening in. NIST defines it as “a form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved.”
Man-in-the-middle is actually an umbrella term. Several specific attack techniques fall under it, each targeting a different layer of communication: your local network, your Wi-Fi connection, your web browser’s encryption, or even the internet’s core routing infrastructure.
How a Man-in-the-Middle Attack Works
The core concept is simple. Normally, your device talks directly to a server (like your bank’s website), and the two exchange information in a straight line. In a MitM attack, someone secretly inserts themselves into that line. Your device thinks it’s talking to the bank, and the bank thinks it’s talking to you, but every message passes through the attacker first. The attacker can passively read everything, or actively change the content before passing it along.
This three-party structure applies whether the attack happens over Wi-Fi at a coffee shop or across international internet routing systems. The scale differs, but the logic is the same: intercept, read, and optionally modify.
ARP Spoofing on Local Networks
One of the most common MitM techniques on local networks is ARP spoofing. Every device on a network has two addresses: an IP address (its network location) and a MAC address (its hardware ID). When your computer wants to send data to another device on the same network, it broadcasts a request asking “Who has this IP address? Tell me your hardware address.” The correct device responds, and your computer saves the pairing in a local contact list called the ARP cache.
An attacker on the same network exploits this by sending fake responses. They tell your computer, “That IP address belongs to me,” and provide their own hardware address. Your computer stores the attacker’s address as if it were the legitimate device. From that point on, every packet you send to the real device goes to the attacker first. The attacker forwards it along so neither side notices the disruption, all while quietly copying or modifying everything in transit.
Evil Twin Wi-Fi Networks
Public Wi-Fi makes interception especially easy. In an evil twin attack, an attacker sets up a fake wireless access point that mimics a legitimate one, using the same or nearly identical network name. If the fake access point broadcasts a stronger signal than the real one, your device may connect to it automatically.
Once you’re connected, all your internet traffic flows through the attacker’s hardware. They can see which sites you visit, capture login credentials sent over unencrypted connections, and inject content into the pages you load. Airports, hotels, and shopping centers are common targets because people expect open Wi-Fi and connect without much thought.
SSL Stripping
Even when a website supports encryption (HTTPS), an attacker who’s already positioned between you and the site can prevent that encryption from ever starting. This technique is called SSL stripping. It works by intercepting the moment your browser tries to upgrade from an unencrypted HTTP connection to a secure HTTPS one. The attacker blocks the upgrade, keeping your side of the connection on plain HTTP while maintaining their own encrypted HTTPS connection to the real website.
The result: the attacker reads everything you send, including passwords, credit card numbers, and personal messages, because your data never gets encrypted. Meanwhile, the real website thinks it’s having a normal secure conversation. You might not notice anything unusual unless you check the address bar and see “http” instead of “https.”
BGP Hijacking at the Internet Level
Man-in-the-middle attacks can also happen at a massive scale. The internet routes traffic between networks using a system called the Border Gateway Protocol (BGP). Each network announces which blocks of IP addresses it can reach, and neighboring networks trust those announcements to build their routing maps. The problem is that BGP has no built-in way to verify whether an announcement is legitimate.
An attacker, or even a misconfigured router, can broadcast false routing information claiming to own a block of IP addresses that actually belongs to someone else. Traffic destined for those addresses gets rerouted through the attacker’s network. In November 2018, Google services became unreachable for about an hour after malicious routing instructions from a Nigerian ISP redirected traffic through networks in Russia and China. These incidents can affect millions of users at once.
Session Hijacking
Not all interception targets the raw data stream. Session hijacking goes after the token your browser uses to prove you’re logged in. When you sign into a website, the server issues a session token (stored as a cookie) that acts like a temporary ID badge. If an attacker captures that token, they can present it to the server and gain full access to your account without needing your password.
Attackers steal session tokens through several methods: sniffing unencrypted network traffic, injecting malicious scripts into vulnerable web pages, or using a man-in-the-middle position to pluck the cookie as it passes by. The OWASP Foundation identifies this as one of the most common web application attacks, and it’s particularly dangerous because the victim often has no indication their session has been taken over.
Bluetooth Interception
Wireless communication through Bluetooth is also vulnerable. Bluesnarfing exploits weaknesses in Bluetooth’s data exchange protocol to access a device and extract sensitive information like contacts, emails, photos, and saved passwords. It only works when Bluetooth is turned on and set to discoverable mode, and the attacker needs to be physically close, typically within about 30 feet. Attackers often target high-traffic locations like malls and airports.
Research estimates that around 80% of Bluetooth Low Energy devices are susceptible to some form of MitM attack, making this a significant vulnerability for wearables, smart home devices, and wireless accessories.
How Common These Attacks Are
MitM attacks are not theoretical. Phishing campaigns that use man-in-the-middle techniques to intercept login credentials increased 35% in volume between early 2022 and early 2023, according to threat intelligence from Cofense. Of those credential-stealing campaigns, 94% targeted Microsoft 365 authentication specifically. About 5% of public Wi-Fi networks have been found to have an active MitM attack in progress at any given time. In 2019, 11% of companies reported being directly affected by a MitM attack.
How Interception Is Prevented
The single most important defense against communication interception is encryption that can’t be stripped away. HTTPS protects data between your browser and a website, but only if the connection actually uses it. A security feature called HTTP Strict Transport Security (HSTS) solves the SSL stripping problem by instructing browsers to never connect to a site over plain HTTP. Once your browser sees an HSTS header from a website, it will automatically use HTTPS for every future visit and refuse to load the site if the encryption certificate looks wrong. The browser won’t even give you the option to click through a certificate warning.
Major browsers also maintain a preload list of websites that should always use HTTPS, so even your very first visit is protected. On your end, using a VPN encrypts all traffic leaving your device, which neutralizes ARP spoofing and evil twin attacks on the local network. Keeping Bluetooth in non-discoverable mode when you’re not actively pairing a device blocks bluesnarfing. And for the BGP problem, the internet industry is gradually adopting a system called Resource Public Key Infrastructure (RPKI), which lets networks cryptographically verify that a routing announcement actually comes from the legitimate owner of those IP addresses.