Adversary In The Middle (AiTM)

If you want to send someone a letter, you write the letter, put it in an envelope, address the envelope, and then drop it in a mailbox.

Computers send data instead of letters, but the process of getting data between systems on the internet is conceptually similar. Letters go in envelopes and are taken to a mailboxes, while data gets put into packets and sent to a gateway.

But what if someone stood up a fake mailbox? They could collect mail from a bunch of people and read everything, including sensitive information-- but then the postal service would realize people's mail was being intercepted. So instead, the owner of the fake mailbox could copy the letters and then drop them off at a real mailbox. That would allow them to go a lot longer without being detected.

Local AiTM Attacks

Something similar can happen on a computer network-- someone can stand up a fake gateway and trick computers into sending data to them instead of the real gateway. With a fake gateway the impostor could stop people from getting online, but that would lead to them being discovered quickly, so instead they can record the traffic and then pass it through to the real gateway but. This lets them read the data later and reduces the chances of them being discovered.

This kind of impostor is called an Adversary in The Middle (AiTM) but you may have heard the older term, Man In the Middle (MiTM). Local AiTM attacks occur when someone stands up a fake gateway or, more commonly, a fake wireless router.

When you go to a hotel, the hotel offers free WiFi. So you get to your room and select the hotel's WiFi network and login. How do you know you connected to the hotel's wireless network and not someone pretending to be the hotel? If it's done well, you really can't. And it wouldn't be all that hard for someone to stand up a fake copy of the hotel network and trick people to logging in. The same thing can happen at convention centers, airports, or anywhere with public WiFi.

And it does happen--in 2025 Michael Clapsis was convicted of impersonating the public WiFi at Australian airports and on multiple flights, tricking travelers into connecting to his fake network instead of the real network. He got caught because airports have heightened security, but someone doing this at hotels, coffee shops or in other public spaces will have a much better chance of getting away with it.

Remote AiTM Attacks

Impersonating a gateway or wireless network can be effective but only affects people in close proximity to the attacker. Malicious links, however, allow someone to target the entire internet with an AiTM attack, making them far more dangerous and far more common.

To create an internet-wide AiTM, someone creates a fake copy of a real web page, and then sends out lots of links to that fake page, but makes the links look real. These fake links can be placed in emails, inserted into web pages, social media posts, forums, comments, etc, and anyone who clicks on the link is taken to the fake look-alike page instead of the real one.

Consider the diagram below

Nyx has created a website that looks like the bank’s and tricked Tux into clicking on a link in a phishing email that takes them to Nyx’s website. Nyx intercepts Tux’s username and password and uses them to gain access to Tux’s bank account. From Tux’s perspective it looks like they talking to the bank, and from the bank’s perspective it looks like they are talking to Tux. Neither is aware that Nyx is lurking in-between them. Nyx can save Tux’s username and password for later use, and can even intercept the bank’s MFA challenge and the code Tux enters in response. This means that an AiTM is sometimes capable of defeating MFA or 2FA.

The good news is that there are ways to defend against AiTM attacks. VPNs will protect you against malicious gateways and wireless networks, but for internet based AiTM attacks, awareness is critical.

• Check the URL of websites carefully before entering your username and password

• Never click on a link in an email without mousing over it.

• Don’t click on any link that you can’t read and understand.

• When you type an address is into your web browser, make sure you didn’t do a search. If you did do a search, make sure you click on a link for the correct website and not an ad.

• If you are using a password manager with autofill – make sure it is set to only autofill when domain names match. If it doesn’t autofill – it’s not the correct domain.

• Avoid links in emails. It is better to open a new tab and search for the website.

• There have been cases of AiTM attacks defeating passkeys but that has been because of improper passkey implementation and not a problem with passkeys themselves. So the verdict is that passkeys offer enhanced protection against AiTM attacks but you should not assume having a passkey makes you immune. Check the URL yourself carefully before using your passkey. If the passkey fails or throw an alert, there is a good chance you have been redirected to a phishing website.