Man-in-the-Middle (MITM) attack – Cyber secure series

Posted on January 11, 2024 by Louise Howland

In our new series of blog posts, we’ll be looking at how you can become more cyber-secure against common cyber-attack methods. We’re starting off with man-in-the-middle attacks, which can be a frightening ordeal for those involved. Let us walk you through what they are and how they work.

What is a man-in-the-middle attack?

A man-in-the-middle (MITM) attack is where an attacker secretly relays and/or alters the communication between two parties, such as an employee and their Microsoft 365 account, enabling the attacker to gain access to a software/account very easily.

It’s a technical term that is also referred to as digital eavesdropping. If you wanted to listen in on a conversation, you’d become the “man-in-the-middle” and you’d have the power to alter communications in a malicious way. That’s what an MITM attack is. It’s easy to see how quickly this could spiral out of control and damage individual or business communications.

A real-life example of a man-in-the-middle attack

MITM attacks aren’t just a warning, they’re real. In one circumstance, a victim received an email purporting to be a SharePoint file-sharing link. Unfortunately, the email wasn’t from a viable source and had been designed for phishing scams. If they’d taken a moment before clicking, a closer inspection of the contents would have shown that it linked to a fake URL, raising suspicions for the recipient. Similar to 90% of cases, the victim clicked the link, entered their credentials and MFA code, and logged in to their SharePoint account.

In the process, the email sender was able to steal the victim’s information, enabling them to access their SharePoint account. Almost instantly, the attacker could view company files and data, causing a cybersecurity breach. What’s more, if left undetected, this attack could continue on for days, weeks and even months, continuing to harvest company data for their own gains.

How man-in-the-middle attacks work

When a victim clicks the link from a phishing email, the content that loads in their browser shows the real SharePoint login page. Simply seeing this would immediately put someone’s mind at ease. Unfortunately for the victim, their network traffic is channelled through something called a “proxy server”. This allows the cybercriminal to perform a “man-in-the-middle” attack to steal the session data from the successful login to SharePoint made by the employee.

Once the data is obtained, the cybercriminal can piggyback on the victim’s session and access everything in SharePoint that the victim can. The cybercriminal doesn’t even need to get hold of the login credentials or the MFA code, which goes to show that MFA cannot be relied upon as the main line of defence from phishing attacks. Until the attack is detected, they have free access to confidential files.

How can you prevent an MITM attack?

While there’s no way to stop someone from attempting a man-in-the-middle attack, there are some steps you can take to reduce the impact it has on your business.

  1. Set up multi-factor authentication. While this isn’t foolproof and, as we’ve seen, cannot be the main line of defence, it can provide a stopgap between you logging in and realising that something might be wrong.
  2. Avoid public WiFi networks on work devices, or those where you may connect your work device. With public networks, you don’t know that you’re connecting to a legitimate WiFi and you also don’t know who else is also connected.
  3. Use a VPN when working outside the office. If your staff are on the go, providing them with a VPN to use will help to secure your network, as it will encrypt the data in use.

How secure+ protects your organisation 

A cybersecurity monitoring service could be the best option for you, allowing you to stay in control when an attack occurs. At ramsac, our secure+ provides you with peace of mind thanks to our 24/7 response notifications and alerts. With secure+, we are either able to act immediately or automate certain restrictions to prevent an attack like an MITM attack from causing any further damage.

As shown in the MITM attack example, the criminal has stolen the victim’s SharePoint session details and been able to access the site, they have connected from a different device/location, and as such they show as connecting from a different IP address.  secure+ detects that the user is logged in from two different IP addresses at the same time, which is very unlikely to be legitimate. A high severity alert is generated for our Cybersecurity Team, who immediately investigate and determine the connection to be malicious. We lock out the account and clear session data, stopping the breach in its tracks. 

secure+ can intelligently assess and classify login activity that could be suspicious or malicious. For example, this could be logins from abroad, from an IP not typically used by employees, or impossible travel where an employee is logged in from two geographically separate locations at the same time. Response to these events can be a manual investigation by our Cybersecurity Team, or immediate automated lockouts as required.

See how secure+ would benefit your business

We’re here to help, so get in touch with us, and we can advise on how secure+ would work for you.

Related Posts

  • Cybersecurity isn’t just for big business
    July 21st, 2025

    Cybersecurity isn’t just for big business

    Cybersecurity

    Cyber threats affect every organisation, not just large enterprises. Our blog shares real-world insights and practical advice to help small and mid-sized organisations improve their cybersecurity and stay resilient [...]

    Read article

  • Why Every Organisation Needs The Perfect IT Security Policy
    July 1st, 2025

    Why Every Organisation Needs The Perfect IT Security Policy

    Cybersecurity

    An IT security policy isn’t just paperwork, it’s your organisation’s first line of defence. In this blog, we explore why a clear, practical policy matters, what it should cover, [...]

    Read article

  • How to Build a Disaster Recovery Plan That Actually Works
    June 22nd, 2025

    How to Build a Disaster Recovery Plan That Actually Works

    CybersecurityIT

    From ransomware to IT outages, UK organisations face rising threats to continuity. This post covers the key elements of a strong disaster recovery plan – and why testing, communication [...]

    Read article

  • Why should an organisation carry out board-level cyber training? 
    June 16th, 2025

    Why should an organisation carry out board-level cyber training? 

    Cybersecurity

    Cybersecurity isn’t just an IT issue, it’s a leadership issue, and this blog explains why board-level training is vital to protect your business from the top down. [...]

    Read article

  • How to Build a Resilient SME in an Uncertain World
    May 27th, 2025

    How to Build a Resilient SME in an Uncertain World

    CybersecurityIT

    In an unpredictable world, resilience is no longer optional for SMEs. Rob May shares practical insights from Unbreakable Business to help leaders protect their organisations and bounce back stronger. [...]

    Read article

  • What is Vulnerability Management? A beginner’s guide for business leaders 
    May 22nd, 2025

    What is Vulnerability Management? A beginner’s guide for business leaders 

    Cybersecurity

    This blog explains vulnerability management in clear, simple terms to help business leaders understand how to reduce cyber risk and improve security across their organisation. [...]

    Read article

Quiz yourself

Are you more cyber savvy than an 11 year old?

11-14 year olds get asked these questions in school. Could you get these right?

X