Multi-factor authentication, strong password management, and endpoint protection are all essential defenses. And they offer great protection until the moment you join a public Wi-Fi network that you THINK is safe but is actually a bad actor masquerading as that free hotel or airport lounge network. We recently saw firsthand how–even with security measures in place–it’s easy to fall victim to a “man in the middle” (MITM) attack.
One of our client’s traveling employees innocently connected to what looked like an official airport Wi-Fi to get some work done. Unbeknownst to them, it was a malicious “evil twin” network set up by a hacker. Two days later, the bad actor had access to their account and was sending out hundreds of emails to the contact list trying to get customers and vendors to click on a company branded document that contained malware.
Fortunately, Nessit spotted the unusual activity immediately and took action. Within 20 minutes, we locked the account, killed all active sessions, and deleted the rogue file from OneDrive, neutralizing the threat. The employee hadn’t clicked any phishing emails, didn’t turn off any of the many layers of protection we have in place, didn’t enter their credentials in a fake site–they simply joined a public Wi-Fi network.
The moment a device connects to public Wi-Fi, all open applications attempt to update. This could be Outlook fetching new email, Teams checking for new messages, or all those browser tabs you left open trying to refresh. A man in the middle attack is when the hacker positions themselves between a user and the services they’re accessing. When this happens, security tokens are exchanged across the Wi-Fi, and if you are connected to a man in the middle wireless access point, they get to collect all those tokens with your information in them. Load those tokens onto another computer, and they are now you.
In this case, the attacker’s device intercepted the traveler’s network traffic without any obvious warning, allowing them to eavesdrop on everything sent between the employee and the company’s email and collaboration services–essentially becoming a silent “man in the middle.”
How Does an MITM Attack Work?
Step 1. Interception
The goal of these attacks is to steal information like login tokens or data by intercepting your communication before it reaches its destination. The most common way this happens is through fake public Wi-Fi networks set up by attackers and named to look like a legitimate option–think “Airport_WIFI” or “Starbucks_guestwifi.” Since they’re free and don’t require a password, people often connect without a second thought. But once you’re on that network, the attacker can see your online activity in real time.
Attackers can also take a more direct approach by manipulating the way your device connects to the internet. Some examples of this include:
- IP Spoofing – The attacker pretends to be a trusted website or service by altering an IP address, tricking your device into sending information to the wrong place.
- ARP Spoofing – Within a local network, the attacker reroutes traffic meant for someone else to their own Media Access Control address (MAC), so any data sent to the intended IP address is instead sent to the hacker’s device.
- DNS Spoofing – The attacker tampers with the system that matches website names to their real locations online, sending you to a fake version of the site without you knowing.
Step 2. Decryption
Once the attacker has inserted themselves into your connection, the next step is to get around encryption–that padlock you see in your browser that’s supposed to keep your data safe–without you knowing. There are a few different ways to do this:
- HTTPS Spoofing – The attacker sends a fake security certificate to your browser. If it seems legit, your browser might treat the connection as safe, even though it’s compromised.
- SSL Hijacking – During the setup of what appears to be a secure session, the attacker gives both sides (you and the website) different fake keys, letting them sit quietly in the middle and control the session.
- SSL Stripping – This method downgrades your secure HTTPS connection to a non-secure version without you noticing. The attacker keeps a secure connection with the real website, but you’re left sending data over an unencrypted line—right into their hands.
In our client’s case, the fake airport network acted like a hidden spy. Once connected, every app on their device began to sync data – Outlook checked mail, Teams looked for messages, open browser tabs refreshed–while the hacker quietly recorded all these exchanges. In practical terms, this let the attacker hijack the employee’s session without needing their password, allowing them to impersonate the victim and send emails as if they were them.
How to Protect Your Business
This scare shows how even strong security measures can be sidestepped by a clever MITM exploit. The good news is that businesses have several defenses to stop or limit these attacks:
1. Be cautious with public Wi‑Fi
Turn off automatic Wi‑Fi connections and don’t just hop on an open “Free Wi-Fi” without thinking. If a network isn’t password‑protected, use your phone’s mobile hotspot instead.
2. Use a VPN (Virtual Private Network)
A VPN encrypts all traffic between your device and the internet, turning your data into gibberish if someone intercepts it.
3. Stick to secure websites (HTTPS)
Look for “https://” and the padlock in your browser bar and never enter sensitive information on websites that aren’t secured.
4. Keep your devices and apps updated
Regularly install software and system updates. They often include security patches.
5. Use strong authentication methods
Enable multi-factor authentication (MFA) and create unique passwords for every account.
6. Educate yourself and your team
Stay informed about current cybersecurity risks and implement regular cybersecurity training for all employees.
Key Takeaways: A rogue “evil twin” Wi‑Fi can undermine even strong company security. By combining vigilance (don’t auto‑join sketchy networks) with technology (always-on VPNs, encryption, quick logouts, up-to-date devices), your business can dramatically reduce the threat. Nessit’s quick response averted any damage in this case, but the incident was a stark reminder: the network is the new perimeter. Always assume public Wi‑Fi isn’t safe and protect your data accordingly.
Through layered defenses and smart habits, you can avoid “man-in-the-middle” attacks – and that’s a lesson worth sharing. Talk to Nessit about safeguarding your business.