Man-in-the-Middle (MITM) attack – Cyber secure series

In our new series of blog posts, we’ll be looking at how you can become more cyber-secure against common cyber-attack methods. We’re starting off with man-in-the-middle attacks, which can be a frightening ordeal for those involved. Let us walk you through what they are and how they work.

What is a man-in-the-middle attack?

A man-in-the-middle (MITM) attack is where an attacker secretly relays and/or alters the communication between two parties, such as an employee and their Microsoft 365 account, enabling the attacker to gain access to a software/account very easily.

It’s a technical term that is also referred to as digital eavesdropping. If you wanted to listen in on a conversation, you’d become the “man-in-the-middle” and you’d have the power to alter communications in a malicious way. That’s what an MITM attack is. It’s easy to see how quickly this could spiral out of control and damage individual or business communications.

A real-life example of a man-in-the-middle attack

MITM attacks aren’t just a warning, they’re real. In one circumstance, a victim received an email purporting to be a SharePoint file-sharing link. Unfortunately, the email wasn’t from a viable source and had been designed for phishing scams. If they’d taken a moment before clicking, a closer inspection of the contents would have shown that it linked to a fake URL, raising suspicions for the recipient. Similar to 90% of cases, the victim clicked the link, entered their credentials and MFA code, and logged in to their SharePoint account.

In the process, the email sender was able to steal the victim’s information, enabling them to access their SharePoint account. Almost instantly, the attacker could view company files and data, causing a cybersecurity breach. What’s more, if left undetected, this attack could continue on for days, weeks and even months, continuing to harvest company data for their own gains.

How man-in-the-middle attacks work

When a victim clicks the link from a phishing email, the content that loads in their browser shows the real SharePoint login page. Simply seeing this would immediately put someone’s mind at ease. Unfortunately for the victim, their network traffic is channelled through something called a “proxy server”. This allows the cybercriminal to perform a “Man-in-the-Middle” attack to steal the session data from the successful login to SharePoint made by the employee.

Once the data is obtained, the cybercriminal can piggyback on the victim’s session and access everything in SharePoint that the victim can. The cybercriminal doesn’t even need to get hold of the login credentials or the MFA code, which goes to show that MFA cannot be relied upon as the main line of defence from phishing attacks. Until the attack is detected, they have free access to confidential files.

How can you prevent an MITM attack?

While there’s no way to stop someone from attempting a man-in-the-middle attack, there are some steps you can take to reduce the impact it has on your business.

  1. Set up multi-factor authentication. While this isn’t foolproof and, as we’ve seen, cannot be the main line of defence, it can provide a stopgap between you logging in and realising that something might be wrong.
  2. Avoid public WiFi networks on work devices, or those where you may connect your work device. With public networks, you don’t know that you’re connecting to a legitimate WiFi and you also don’t know who else is also connected.
  3. Use a VPN when working outside the office. If your staff are on the go, providing them with a VPN to use will help to secure your network, as it will encrypt the data in use.

How secure+ protects your organisation 

A cybersecurity monitoring service could be the best option for you, allowing you to stay in control when an attack occurs. At ramsac, our secure+ provides you with peace of mind thanks to our 24/7 response notifications and alerts. With secure+, we are either able to act immediately or automate certain restrictions to prevent an attack like an MITM attack from causing any further damage.

As shown in the MITM attack example, the criminal has stolen the victim’s SharePoint session details and been able to access the site, they have connected from a different device/location, and as such they show as connecting from a different IP address.  secure+ detects that the user is logged in from two different IP addresses at the same time, which is very unlikely to be legitimate. A high severity alert is generated for our Cybersecurity Team, who immediately investigate and determine the connection to be malicious. We lock out the account and clear session data, stopping the breach in its tracks. 

secure+ can intelligently assess and classify login activity that could be suspicious or malicious. For example, this could be logins from abroad, from an IP not typically used by employees, or impossible travel where an employee is logged in from two geographically separate locations at the same time. Response to these events can be a manual investigation by our Cybersecurity Team, or immediate automated lockouts as required.

See how secure+ would benefit your business

We’re here to help, so get in touch with us, and we can advise on how secure+ would work for you.

Related Posts

  • Inherent risk vs residual risk: What’s the difference?

    Inherent risk vs residual risk: What’s the difference?


    Inherent risk and residual risk are key elements of any effective risk management process designed to strengthen cybersecurity defences and protect your company’s data. Read on. [...]

    Read article

  • What is cybersecurity monitoring? How important is it in 2024?

    What is cybersecurity monitoring? How important is it in 2024?


    Cybersecurity monitoring is the continuous surveillance of digital systems to detect and respond to security threats and data breaches in real-time. Discover how cybersecurity monitoring software can protect your [...]

    Read article

  • Examples of sensitive data in your organisation

    Examples of sensitive data in your organisation


    Any confidential information that’s stored, processed, or managed by an organisation or individual is classified as sensitive data. Read our sensitive data examples today. [...]

    Read article

  • How to set up a secure password policy in Microsoft 365

    How to set up a secure password policy in Microsoft 365


    Discover the essentials of a robust password policy for cybersecurity in Microsoft 365. Learn what to include and what to avoid. Read the blog today. [...]

    Read article

  • A guide to sensitivity labels and how to apply them

    A guide to sensitivity labels and how to apply them


    Sensitivity labels allow you to manage, organise, and protect sensitive emails, files, and documents as part of the Microsoft 365 suite. Read on. [...]

    Read article

  • MFA vs 2FA: What’s the Difference?

    MFA vs 2FA: What’s the Difference?


    Features like user facial recognition that are difficult to replicate means multi-factor authentication offers more cybersecurity layers than two-factor authentication. Find out more. [...]

    Read article

Quiz yourself

Are you more cyber savvy than an 11 year old?

11-14 year olds get asked these questions in school. Could you get these right?