Threat actors are increasingly relying on stealthy interception attacks that quietly position themselves between users, systems, and data. These attacks are collectively known as Man-in-the-X (MitX) attacks.
Rather than breaking into systems outright, MitX attacks exploit trust. They allow attackers to eavesdrop, manipulate, or redirect communications while remaining largely invisible. For healthcare organizations, financial institutions, and any entity handling sensitive data, MitX attacks pose a particularly serious risk because they often lead to credential theft, data breaches, fraud, and regulatory non-compliance.
“Man-in-the-X” is an umbrella term describing attacks where an unauthorized third party secretly intercepts or alters communication between two legitimate parties.
The “X” refers to where the attacker positions themselves, such as:
Despite their differences, all MitX attacks share three defining characteristics:
According to the National Institute of Standards and Technology (NIST), a MitM attack is “an attack in which an attacker is positioned between two communicating parties in order to intercept and/or alter data traveling between them.”
According to IBM, cybercriminals start by exploiting vulnerabilities across networks, web browsers, email accounts, user behaviors, and security protocols using social engineering attacks. They do this to “insert themselves between users and trusted applications so they can control communications and intercept data in real time.”
The most common source of MitM is phishing, where the attacker tricks the user into infecting a web browser with malware by clicking on a malicious email link. This allows the attacker to “make covert changes to web pages, manipulate transactions and spy on the user’s activity.”
Another common source are rogue WiFi connections. These connections, usually public, “Have fewer security protocols than home or workplace wifi routers,” making them “easier for hackers to compromise… so they can eavesdrop on internet traffic and collect user data.”
“MITM attackers sometimes create their own malicious public wifi networks to lure unsuspecting users and harvest their personal data. MITM attackers might also create fake websites that appear legitimate but are actually collecting critical data such as login credentials. Hackers can then use those credentials to log in to user accounts on authentic websites. Or they might use the fake website to deceive users into making payments or transferring funds,” states IBM.
“MITM attacks are critical because of the wide range of potential impacts—these include the exposure of sensitive information, modification of trusted data, and injection of data,” notes CISA.
Patients accessing portals or emails on public Wi-Fi or clinicians working remotely are common targets, potentially exposing protected health information (PHI).
Read also: How to prevent man-in-the-middle attacks in healthcare
“A man-in-the-browser attack is designed to intercept data as it passes over a secure communication between a user and an online application. A Trojan embeds itself in a user's browser and can be programmed to activate when a user accesses specific online sites, such as online banking sites. Once activated, a man-in-the-browser Trojan can intercept and manipulate any information a user submits online in real-time,” writes Krishna Sai Anudeep Ayyagari in the article Man in the Browser Attacks.
According to TechTarget, cybercriminals “take advantage of security vulnerabilities or phishing tactics to initiate the attack.” The attack exploits a user script or an insecure browser extension. “MitB works by infecting a browser with a Trojan horse, which enables an attacker to intercept and modify data sent from a browser to a server.”
The effects of a successful MitB attack include “eavesdropping, data theft or session tampering.” Furthermore, with a successful MitB attack, the attacker can steal the user’s money.
MitB attacks can alter patient intake forms, redirect insurance payments, or steal clinician credentials for EHR access.
A Man-in-the-Email (MitE) attack, commonly known as a Business Email Compromise (BEC), happens when cybercriminals “trick unsuspecting executives and employees into sending money or sensitive data to fraudulent accounts,” says CISCO. “Attackers accomplish this using a variety of phishing techniques that manipulate users into transferring money or data.”
According to the HHS, a BEC attack happens in four steps:
Companies attacked during an MitE attack risk losing funds, compromised emails, and unauthorized PHI exposure.
Email remains one of the leading causes of HIPAA breaches, with attackers exploiting appointment reminders, billing emails, and clinical communications.
See also: Why BEC is today's biggest email threat
Security Brief New Zealand defines a MitC attack as when attacks “take advantage of the OAuth synchronisation token system used by cloud applications.” Attackers take advantage of cloud-saved tokens “on a user's device after initial authentication is completed.”
Attackers gain access and copy the token, allowing them to “infiltrate the victim's cloud accounts remotely.” They do this using social engineering tactics that trick the user into installing malware. Once successful, the “malware installs a new token (belonging to a new account that the attacker created) and moves the victim's real token into a cloud sync folder. When the victim's device syncs via the new token belonging to the attacker, it sends the victim's data to the attacker's account instead of to the user's real account.” Additionally, “The original account token is revealed to the attacker and malware like Switcher can copy it back to the victim's machine, erasing the malicious one in the process. This removes all traces of the security breach and leaves the attacker with full access to the victim's account – on any device.”
When cybercriminals gain access to cloud networks, the risks include:
Cloud-hosted EHRs, imaging systems, and patient portals are targets for MitC attacks and lead to unauthorized access to PHI.
See also: The underlying risks of using cloud storage
Similar to MitB, MitMO begins on the “desktop browser where a web-injection in the desktop browser lures victims into installing a fake security app into their Android mobile,” notes Info Security Magazine.
Attackers trick users into installing malware by telling them that “a new security feature requires them to install a special security app on their mobile device, and are told that 15 million users already use the system.” When discovered, the attackers were targeting Blackberry and Android users. “If the platform is Blackberry, they are eventually told that installation has been successful, although no malware is actually installed. The process for Android, however, first asks for their mobile number, and indicates that a link has been sent by SMS to their phone. Targets are asked to follow the link and install the security application,” states Security Magazine. Once installed, the malware “can capture all future SMS traffic, including bank authorization codes, which it sends to the fraudsters. In this way the fraudsters can initiate a fraudulent bank transfer and capture the security codes necessary to bypass the SMS-based out-of-band authorization methods.”
With attackers bypassing SMS-based out-of-band authorization, they can access bank accounts and transfer funds to themselves.
When the attacker targets apps other than banking apps, patients and clinicians using mobile health apps may unknowingly expose login credentials and PHI.
According to NIST, session hijacking is “an attack in which the attacker is able to insert themselves between a claimant and a verifier after a successful authentication exchange between the latter two parties. The attacker is able to pose as a subscriber to the verifier or vice versa to control session data exchange.”
According to OWASP, session hijacking works by:
When attackers intercept sessions, they are able to:
Session hijacking can grant attackers full access to electronic health record (EHR) systems without triggering login alerts.
Man-in-the-API attacks intercept or manipulate API requests and responses between applications.
Attackers exploit:
Man-in-the-API attacks can lead to:
APIs used for patient communication, scheduling, billing, lab results, and patient data exchange may be targeted, leading to PHI exposure and medical fraud.
An Evil Twin attack involves a malicious Wi-Fi access point disguised as a legitimate network. In a Man-in-the-WiFi attack, “Attackers sometimes create public wifi networks and hot spots in popular public places such as airports, restaurants and city centers. The names of these fraudulent networks are often similar to nearby businesses or other trusted public wifi connections. Hackers can also compromise legitimate public wifi hot spots used by the public,” says IBM.
According to the Department of the Interior OIG, the attacker “uses inexpensive and easily available tools to eavesdrop on the wireless network traffic between a client and an access point, waiting for traffic that includes the encoded credentials. After collecting encoded credentials, the attacker attempts to break the encoding and recover the credentials in clear text… If not, the encoded credentials can be transmitted to higher performance remote systems where additional efforts could be dedicated to breaking the encoding. If the attacker successfully breaks the encoding, it can then use the recovered credentials to eavesdrop on communications, gain unauthorized access to the network, or gain unauthorized access to other systems inside of the network.”
Once inside the network, attacks can perform the following:
Hospitals, clinics, and conference venues are common targets due to high device density.
Read more: Rogue Wi-Fi networks: What you need to know
Man-in-the-Form attacks specifically target web forms, modifying data before submission.
As a subset of a MitM attack, in a Man-in-the-Form, the cybercriminal exploits vulnerabilities in online forms to position themselves between “users and trusted applications so they can control communications and intercept data in real time.”
When attackers have access to online forms, they can:
Patient intake forms, consent forms, and billing submissions are high-risk targets.
Protecting against Man-in-the-X attacks requires a combination of technical controls, secure network practices, and informed user behavior. Because MitM attacks exploit weaknesses across devices, networks, and communication channels, defenses must be layered rather than relying on a single safeguard. IBM suggests:
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
MitM attacks often occur through phishing emails, unsecured public Wi-Fi networks, malicious websites, or compromised routers that allow attackers to eavesdrop on or manipulate data in transit.
Attackers commonly target login credentials, financial information, session cookies, personal data, and protected health information (PHI).
MitX attacks are often difficult to detect, but warning signs may include certificate warnings in the browser, unexpected logouts, unusually slow connections, or changes to web pages or transactions that the user did not initiate.