A 2024-2025 telecom espionage campaign, attributed to the state-affiliated actor Salt Typhoon, leveraged subtle anomalies across various network layers – like unexpected latency combined with minor DNS resolution inconsistencies or slight increases in ARP traffic – to conduct sophisticated Man-in-the-Middle (MITM) attacks. This guide arms IT and security teams with the specifics to detect T1557 (Adversary-in-the-Middle) attacks, outlining the full attack chain, granular warning signs, a practical response playbook, and crucial preventative controls to harden your infrastructure against these deceptive threats in 2026.

How Man-in-the-Middle Attack Works: The Attack Chain

A Man-in-the-Middle (MITM) attack inserts an adversary directly into a communication path, allowing them to intercept, read, and potentially alter data without either legitimate party knowing. This works like a rogue postal worker who silently opens all your mail, reads it, maybe changes a few words, and then reseals it before it reaches the recipient. This sophisticated method aligns with MITRE ATT&CK technique T1557 (Adversary-in-the-Middle), a tactic often preceding credential theft or data exfiltration.

1. Interception: Positioning for the Sniff

Attackers first position themselves between two communicating parties. On a local network, they often use ARP Spoofing by sending forged ARP messages, linking their device's MAC address to a legitimate IP address. Tools like Ettercap are commonly used here. This redirects traffic through the attacker's system. Another method, DNS Spoofing, involves poisoning a DNS cache to resolve legitimate domains to fraudulent IP addresses, making victims connect to the attacker's server instead of the real one. Wi-Fi eavesdropping via rogue access points or evil twin attacks also creates an interception point by tricking users into connecting to attacker-controlled networks. IP Spoofing, altering packet headers to impersonate trusted hosts, can also contribute.

2. Decryption and Manipulation: Eavesdropping and Altering

Once traffic flows through the attacker, especially encrypted traffic, it needs to be made readable. SSL Stripping (also known as HTTPS Downgrade) is a prevalent method where the attacker forces an HTTPS connection down to HTTP, exposing plaintext data. The Salt Typhoon telecom espionage campaign in 2024-2025 is believed to have included forms of traffic manipulation that could encompass such downgrades to tap into communications; the exact techniques used have not been publicly confirmed. For more persistent HTTPS connections, attackers might use HTTPS Spoofing with Forged Certificates, serving self-signed or compromised certificates to victims, triggering a security warning users might ignore. SSL Hijacking involves passing forged keys during the TLS handshake. More advanced techniques, like Adversary-in-the-Middle (AiTM) Phishing, use reverse proxies (e.g., EvilGinx2) to intercept real-time sessions, capturing live session cookies and credentials, bypassing even MFA. Man-in-the-Browser attacks involve malware on the victim's system, modifying transactions locally before encryption, making detection challenging.

Man-in-the-Middle Attack Variants and Types

MITM isn't a single attack but a category encompassing several distinct techniques, each with unique characteristics and defense challenges. Understanding these variants helps refine detection strategies.

SSL Stripping (HTTPS Downgrade)

This attack downgrades an HTTPS connection to HTTP, making the data exposed in plaintext. For example, during the Salt Typhoon telecom espionage in 2024-2025, attackers likely employed forms of traffic manipulation that could include such downgrades to tap into communications without triggering overt TLS warnings; specific details of these techniques were not disclosed by affected organizations.

ARP Spoofing

Here, an attacker sends forged ARP messages on a LAN to redirect network traffic through their device. This is a foundational MITM technique, often detected by unexpected changes in a host's ARP cache or unusual increases in ARP traffic within a segment. Detection of duplicate IP addresses often signals active ARP spoofing on the network.

AiTM Phishing

A highly sophisticated variant, AiTM Phishing combines a reverse proxy with credential-harvesting pages to steal live session cookies and bypass MFA. Microsoft 365 was notably targeted in 2024 by the Rockstar 2FA PhaaS toolkit, where threat actor Storm-0485 leveraged these techniques, often through fake LinkedIn verification emails, to compromise employee accounts and bypass MFA. Microsoft confirmed some employee accounts were compromised through these methods, though the total number of affected accounts was not disclosed.

Man-in-the-Browser

This attack involves malware residing on the victim's system that intercepts and modifies transactions in real-time, even over a legitimate encrypted connection. The malware operates within the browser, making it incredibly difficult to detect purely through network-level monitoring as the "middle" is inside the victim's own browser process.

How to Detect Man-in-the-Middle Attack: Warning Signs and IOCs

Detecting MITM attacks requires correlating subtle anomalies across endpoint, network, and SIEM data. No single indicator will guarantee detection; it's the combination that paints the picture.

Endpoint Indicators

Look for invalid or unexpected SSL/TLS certificate warnings in browsers; users should be trained to report these immediately. On Windows systems, monitor Schannel errors within the Event Log, particularly Event ID 36874 (Sch_CacheInvalidCertificateEntry) or Event ID 36882 (Sch_ClientHandshakeFailure), which can indicate certificate validation failures during TLS handshakes. EDR solutions like CrowdStrike Falcon or SentinelOne can generate alerts for suspicious browser activity, such as process injection into browser memory or unexpected certificate changes observed by the endpoint. Abnormal browser proxy settings or changes to the hosts file are also critical signals that EDR can flag. Look for unusual process behavior modifying network stacks or installing suspicious root certificates.

Network Indicators

The network layer provides abundant clues. Watch for sudden shifts from HTTPS to HTTP (SSL Stripping), which can be flagged by network proxies or WAFs. Unusual latency in page loading or application response times, especially when accessing sensitive resources, often points to an intermediary device processing traffic. DNS resolution anomalies, such as legitimate domains resolving to unexpected or rapidly changing IP addresses, are strong indicators. Use tools like Arpwatch or native switch features like Dynamic ARP Inspection (DAI) to detect ARP table inconsistencies and significant increases in ARP traffic or duplicate IP addresses, signaling ARP Spoofing. Unexpected URL redirections or domain substitutions (e.g., "web5ite.com" instead of "website.com") must be identified through DNS logs or proxy logs. The Terrapin Attack in 2023-2024 on SSH negotiations showed how sequence-number manipulation can be exploited, necessitating monitoring for anomalies in SSH session parameters.

SIEM Detection

A well-configured SIEM like Splunk or Elastic is critical for correlating these disparate indicators. Implement rules to detect the co-occurrence of:

  • Multiple Schannel errors (e.g., Event ID 36874, 36882) from the same client IP address over a short period.
  • Spikes in ARP traffic or DAI violations combined with unexpected DNS resolution changes for internal or external domains. For example, a Splunk query might look for: (source="WinEventLog:System" EventCode=36874 OR EventCode=36882) OR (sourcetype="network:arp" type="spoofing") | stats count by _time, src_ip, dest_ip | where count > 5.
  • Unusual HTTPS to HTTP downgrades for domains typically accessed via HTTPS, especially when originating from internal users on untrusted networks.
  • Alerts from CrowdStrike Falcon indicating browser manipulation or certificate trust store modifications correlated with outbound connection attempts to suspicious IP addresses or domains.

Response Playbook: What to Do When Man-in-the-Middle Attack Hits

When you detect a suspected MITM attack, rapid, methodical response is essential. Don't panic; follow a structured playbook to contain, eradicate, and recover.

Phase 1: Immediate Containment (first 15 minutes)

Your priority is to stop the bleeding.

  1. Isolate Affected Systems/Network Segments: Immediately disable the network port of the suspected compromised host using shutdown on a switch port (e.g., interface GigabitEthernet0/1; shutdown). Alternatively, modify firewall rules to quarantine the endpoint or segment the network using VLANs to restrict its communication.
  2. Revoke Compromised Credentials/Session Tokens: Force password resets for any accounts potentially compromised. Invalidate active sessions for these users and any associated session tokens immediately. This is critical, especially after an AiTM Phishing attack like those seen against Microsoft 365 users by Storm-0485 in 2024.
  3. Disable Rogue Access Points: If the MITM attack involves a rogue Wi-Fi access point or evil twin, locate it physically and disable it. Change administrative passwords on legitimate access points to prevent further compromise.
  4. Update/Reconfigure DNS Settings: Flush local DNS caches (ipconfig /flushdns on Windows) on affected systems and ensure clients are pointing to trusted, secure DNS resolvers. Block any malicious IP addresses or domains identified as part of the attack chain at the firewall, IPS, and WAF layers.

Phase 2: Forensic Preservation

Before you clean anything, collect evidence to understand the attack's scope and methods.

  1. Create Disk Images: Perform forensically sound disk images of any affected endpoints. Tools like FTK Imager or dd can create bit-for-bit copies.
  2. Capture Network Traffic: Initiate network traffic capture on affected segments using Wireshark or tcpdump. Look for anomalous ARP traffic, unexpected SSL/TLS handshakes, and plaintext communications.
  3. Collect All Logs: Gather system logs (Windows Event Logs), network device logs (firewalls, switches, routers), application logs, EDR alerts (e.g., from CrowdStrike Falcon), SIEM logs, and DNS server logs. Pay close attention to SSL/TLS certificate validation failures and unexpected HTTP requests.
  4. Analyze Certificates: Preserve and analyze any suspicious SSL/TLS certificates encountered during the incident. Check their issuers, expiry dates, and subject alternative names for inconsistencies.

Phase 3: Recovery and Hardening

This phase focuses on restoring operations and preventing recurrence.

  1. Eradication: Remove all traces of the attacker, including malware, rogue configurations, and unauthorized access points.
  2. Rebuild/Restore: Restore affected systems and data from known good backups. This might involve rebuilding servers or endpoints from trusted images.
  3. Patch and Harden: Apply all pending security patches and updates. Strengthen authentication mechanisms by enforcing phishing-resistant MFA (e.g., with YubiKey), ensuring HTTPS with HSTS preloading, and reviewing access controls.
  4. Post-Incident Analysis: Conduct a thorough root cause analysis. Identify vulnerabilities, control failures, and lessons learned.
  5. Monitoring: Implement enhanced monitoring to detect any recurrence or residual attacker presence. Set up alerts for the IOCs identified during the initial detection phase.

How to Prevent Man-in-the-Middle Attack: Controls That Work

Preventing MITM attacks requires a multi-layered approach, combining specific technical controls with continuous vigilance and user education.

Enforce Strong Transport Encryption and Authentication

Mandate the use of TLS 1.2/1.3 across all services and disable outdated protocols like SSL 3.0 and TLS 1.0/1.1. Implement HTTP Strict Transport Security (HSTS) preloading on web applications to ensure browsers only connect via HTTPS, preventing SSL Stripping. This control maps directly to NIST SP 800-53 SC-8 (Transmission Confidentiality and Integrity). Additionally, deploy phishing-resistant Multi-Factor Authentication (MFA) like FIDO2/WebAuthn or hardware security keys such as YubiKey for all critical accounts. This significantly raises the bar for attackers trying to leverage stolen credentials, directly addressing MITRE ATT&CK T1110.003 (Multi-Factor Authentication Bypass) and aligning with NIST SP 800-53 IA-2 (Identification and Authentication – Organizational Users) and IA-5 (Authenticator Management). Implement Mutual TLS (mTLS) for service-to-service communication to ensure both client and server authenticate each other.

Network Segmentation and Integrity

Segment your network using VLANs and firewall rules to restrict traffic flow between different trust zones. This limits an attacker's lateral movement even if they gain an initial foothold, aligning with NIST SP 800-53 SC-7 (Boundary Protection) and SC-10 (Network Disconnect). Critically, enable Dynamic ARP Inspection (DAI) and DHCP Snooping on network switches (e.g., on Cisco IOS devices) to validate ARP packets and prevent ARP Spoofing. This proactively mitigates a primary MITM interception method, linking to MITRE ATT&CK T1021.001 (Remote Services: SSH) by securing the underlying network transport. Certificate Pinning, embedding expected server certificate fingerprints into applications, can prevent connections if a certificate mismatch occurs, providing an additional layer of trust validation. This is also covered under NIST SP 800-53 IA-2.

Continuous Monitoring and User Awareness

Regularly audit and monitor network traffic for anomalies like unexpected HTTPS to HTTP downgrades, unusual DNS resolution patterns, or spikes in ARP traffic. Implement NIST SP 800-53 AU-6 (Audit Record Review, Analysis, and Reporting) and SI-4 (System Monitoring) to detect suspicious activity. Keep all systems updated with the latest security patches to close known vulnerabilities that attackers could exploit for interception, adhering to NIST SP 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation). Finally, educate employees on the risks of public Wi-Fi, phishing tactics (especially sophisticated AiTM Phishing), and the importance of verifying URLs and certificate warnings. User vigilance contributes to the effectiveness of IR-6 (Incident Reporting) by increasing the likelihood of early detection.

Real-World Incidents

MITM attacks aren't theoretical; they're a consistent threat exploited by various adversaries, from state-sponsored groups to financially motivated criminals.

Salt Typhoon Telecom Espionage (2024-2025)

Between 2024 and 2025, the state-affiliated actor known as Salt Typhoon orchestrated what is believed to be one of the largest telecom espionage campaigns in U.S. history. They allegedly leveraged sophisticated MITM techniques against four major U.S. telecom giants: AT&T, Verizon, Lumen, and T-Mobile. The objective was to tap into call data and track the location of targets, primarily business and government communications. While the U.S. government attributed this activity to Salt Typhoon and provided details on the targets, the specific MITM techniques used by the group have not been publicly confirmed by the affected telecom providers as of publication, nor have the providers confirmed the full extent of the data compromised. This operation highlights the criticality of securing network infrastructure at its deepest levels, as attackers could insert themselves into core routing paths to intercept vast amounts of data. The sheer scale and duration of the attack, targeting multiple major carriers, underscored a failure in correlating subtle network anomalies across diverse telecom infrastructures that would normally indicate an intermediary.

Microsoft 365 Targeted by Rockstar 2FA (2024)

In 2024, Microsoft 365 accounts became a prime target for the Rockstar 2FA PhaaS (Phishing-as-a-Service) toolkit. Threat actor Storm-0485 was particularly active, employing Adversary-in-the-Middle (AiTM) Phishing techniques. In one notable incident, a Microsoft employee was tricked into authenticating via a meticulously crafted fake site. This site, powered by a reverse proxy, intercepted their live session token and credentials, effectively bypassing MFA. The attackers frequently used deceptive LinkedIn verification emails to lure victims. Microsoft confirmed that some employee accounts were compromised through these methods, though the company did not disclose the total number of affected accounts or the specific scope of data exfiltrated. This incident demonstrated that even with MFA in place, sophisticated AiTM proxies can subvert security controls by capturing valid session cookies, illustrating a critical gap in detection for session hijacking at the application layer. The success of this attack hinged on users failing to identify subtle URL discrepancies and the lack of comprehensive browser-side protections against real-time session capture.

Terrapin Attack on SSH Negotiation (2023-2024)

Discovered in December 2023, the Terrapin Attack exposed a critical vulnerability affecting numerous OpenSSH installations, including an estimated 11 million publicly reachable SSH servers as of early 2024. This MITM attack exploits downgrade and sequence-number manipulation during the SSH connection's feature negotiation phase. By subtly truncating encrypted messages, attackers can downgrade the connection to less secure algorithms (like chacha20-poly1305 or encrypt-then-mac with etm@openssh.com), compromising the integrity of the SSH channel without immediately terminating the connection. This allows for potential session hijacking or data tampering. The lesson here is the importance of not just strong encryption, but also secure negotiation protocols and rigorous validation of cryptographic primitives, highlighting a failure in early protocol-level anomaly detection. Implementing latest OpenSSH versions and disabling vulnerable ChaCha20-Poly1305 and encrypt-then-mac algorithms were key mitigations.

Data at a Glance

Metric Value Source
Average cost of a data breach $4.44 million CVEDaily.com
US average cost of a data breach $10.22 million CVEDaily.com
Average time to identify breach 181 days CVEDaily.com
Average time to contain breach 60 days CVEDaily.com
Weekly cyberattacks globally 1,968 CVEDaily.com
YoY attack frequency increase 18% CVEDaily.com
Breaches involving human element 68% CVEDaily.com
Key metrics chart for Detect Man-in-the-Middle Attack: Chain, Signs & Defense (2026)
Key metrics — data from sources cited above

The CVEDaily Take

We think many organizations fail to fully account for sophisticated AiTM proxy attacks that bypass MFA because they over-rely on a single layer of defense. The real gap isn't just detecting forged certificates but correlating unexpected DNS changes with minor latency spikes before any obvious certificate warning even appears. This shift means prioritizing network integrity and DNS hygiene as primary detection surfaces. Are your current SIEM rules actively correlating Schannel errors with ARP cache inconsistencies and specific outbound traffic patterns, or are you waiting for a browser warning to tell you there's a problem?

Tools & Resources

Securing against MITM attacks demands a solid toolkit across detection, prevention, and incident response.

Detection (EDR/SIEM)

  • CrowdStrike Falcon: An EDR solution that provides real-time endpoint visibility, threat detection, and response. It's critical for identifying suspicious process activity, browser manipulation (e.g., Man-in-the-Browser malware), and unexpected certificate store modifications indicative of MITM. Official Documentation
  • Splunk Enterprise Security (ES): A powerful SIEM platform for ingesting and correlating logs from across the IT environment. It enables the creation of detailed correlation rules to detect MITM warning signs like concurrent Schannel errors and ARP cache anomalies. Official Documentation

Prevention (Controls/Hardening)

  • YubiKey: A hardware security key that offers phishing-resistant MFA using standards like FIDO2/WebAuthn. This significantly reduces the risk of credential theft and session hijacking, even against sophisticated AiTM Phishing campaigns. Official Documentation
  • Cisco IOS Dynamic ARP Inspection (DAI): A feature on Cisco switches that validates ARP packets to prevent ARP Spoofing. It checks ARP requests and replies against legitimate MAC-IP bindings learned from DHCP Snooping. Official Documentation
  • HSTS Preloading: A list of domains hardcoded into web browsers that should only be accessed using HTTPS. Submitting your domain to this list prevents SSL Stripping attempts entirely. Official Documentation

Incident Response (Forensics/Containment)

  • Wireshark: A widely used network protocol analyzer that allows deep inspection of network traffic. Essential for capturing and analyzing network packets to identify ARP Spoofing, SSL/TLS handshake anomalies, and unexpected HTTP downgrades. Official Documentation
  • Ettercap: A free and open-source suite for MITM attacks on LAN. While an attacker tool, it’s invaluable for security teams to simulate ARP Spoofing and SSL Stripping in a controlled environment to test their detection capabilities. Official Documentation

FAQ

Q: How do you detect a Man-in-the-Middle attack?
A: Look for unexpected SSL/TLS certificate warnings in browsers, unusual latency in network communication, and significant increases in ARP traffic or DNS resolution anomalies pointing to unfamiliar IP addresses.

Q: How do you respond to a Man-in-the-Middle attack?
A: Immediately isolate affected systems or network segments, revoke any compromised credentials and session tokens, and disable rogue access points or services identified as part of the attack.

Q: How do you prevent a Man-in-the-Middle attack?
A: Enforce strong transport encryption like TLS 1.2/1.3 with HSTS preloading, and deploy phishing-resistant MFA like FIDO2/WebAuthn (e.g., using YubiKey) for all critical user accounts.