Man-in-the-Middle (MITM) attack – Cyber secure series

Posted on January 11, 2024 by Louise Howland

In our new series of blog posts, we’ll be looking at how you can become more cyber-secure against common cyber-attack methods. We’re starting off with man-in-the-middle attacks, which can be a frightening ordeal for those involved. Let us walk you through what they are and how they work.

What is a man-in-the-middle attack?

A man-in-the-middle (MITM) attack is where an attacker secretly relays and/or alters the communication between two parties, such as an employee and their Microsoft 365 account, enabling the attacker to gain access to a software/account very easily.

It’s a technical term that is also referred to as digital eavesdropping. If you wanted to listen in on a conversation, you’d become the “man-in-the-middle” and you’d have the power to alter communications in a malicious way. That’s what an MITM attack is. It’s easy to see how quickly this could spiral out of control and damage individual or business communications.

A real-life example of a man-in-the-middle attack

MITM attacks aren’t just a warning, they’re real. In one circumstance, a victim received an email purporting to be a SharePoint file-sharing link. Unfortunately, the email wasn’t from a viable source and had been designed for phishing scams. If they’d taken a moment before clicking, a closer inspection of the contents would have shown that it linked to a fake URL, raising suspicions for the recipient. Similar to 90% of cases, the victim clicked the link, entered their credentials and MFA code, and logged in to their SharePoint account.

In the process, the email sender was able to steal the victim’s information, enabling them to access their SharePoint account. Almost instantly, the attacker could view company files and data, causing a cybersecurity breach. What’s more, if left undetected, this attack could continue on for days, weeks and even months, continuing to harvest company data for their own gains.

How man-in-the-middle attacks work

When a victim clicks the link from a phishing email, the content that loads in their browser shows the real SharePoint login page. Simply seeing this would immediately put someone’s mind at ease. Unfortunately for the victim, their network traffic is channelled through something called a “proxy server”. This allows the cybercriminal to perform a “Man-in-the-Middle” attack to steal the session data from the successful login to SharePoint made by the employee.

Once the data is obtained, the cybercriminal can piggyback on the victim’s session and access everything in SharePoint that the victim can. The cybercriminal doesn’t even need to get hold of the login credentials or the MFA code, which goes to show that MFA cannot be relied upon as the main line of defence from phishing attacks. Until the attack is detected, they have free access to confidential files.

How can you prevent an MITM attack?

While there’s no way to stop someone from attempting a man-in-the-middle attack, there are some steps you can take to reduce the impact it has on your business.

1. Set up multi-factor authentication. While this isn’t foolproof and, as we’ve seen, cannot be the main line of defence, it can provide a stopgap between you logging in and realising that something might be wrong.
2. Avoid public WiFi networks on work devices, or those where you may connect your work device. With public networks, you don’t know that you’re connecting to a legitimate WiFi and you also don’t know who else is also connected.
3. Use a VPN when working outside the office. If your staff are on the go, providing them with a VPN to use will help to secure your network, as it will encrypt the data in use.

How secure+ protects your organisation 

A cybersecurity monitoring service could be the best option for you, allowing you to stay in control when an attack occurs. At ramsac, our secure+ provides you with peace of mind thanks to our 24/7 response notifications and alerts. With secure+, we are either able to act immediately or automate certain restrictions to prevent an attack like an MITM attack from causing any further damage.

As shown in the MITM attack example, the criminal has stolen the victim’s SharePoint session details and been able to access the site, they have connected from a different device/location, and as such they show as connecting from a different IP address.  secure+ detects that the user is logged in from two different IP addresses at the same time, which is very unlikely to be legitimate. A high severity alert is generated for our Cybersecurity Team, who immediately investigate and determine the connection to be malicious. We lock out the account and clear session data, stopping the breach in its tracks. 

secure+ can intelligently assess and classify login activity that could be suspicious or malicious. For example, this could be logins from abroad, from an IP not typically used by employees, or impossible travel where an employee is logged in from two geographically separate locations at the same time. Response to these events can be a manual investigation by our Cybersecurity Team, or immediate automated lockouts as required.

See how secure+ would benefit your business

We’re here to help, so get in touch with us, and we can advise on how secure+ would work for you.