How to protect against MitC attacks

By Anurag Kahol, CTO, Bitglass

With cloud popularity advancing rapidly, an increasing number of organisations are taking advantage of anytime, anywhere data access in order to achieve improved productivity and flexibility.

The growth of these services has not  gone unnoticed by malicious entities, giving rise to a new breed of cyber attack.

One malicious tactic that has become quite prevalent in recent years is known as a ‘man in the cloud’ (MitC) attack, which aims to  access victims’ accounts without the need to obtain compromised user credentials beforehand.

To gain access to cloud accounts, MitC attacks take advantage of the OAuth  synchronisation token system used by cloud applications. Most popular cloud services, including Dropbox, Microsoft OneDrive and Google Drive, each save one of these tokens on a user’s device after initial authentication is completed.

This is done to improve usability – users don’t have to enter their password every time they attempt to access an app if they have an OAuth token. But the anytime, anywhere nature of cloud services means that the same token can grant access from any device.

If an attacker can access and copy a token, she or he can infiltrate the victim’s cloud remotely – in a manner that appears genuine and bypasses security measures.

According to Minerva, the research team that discovered MitC attacks, the easiest way to gain access to a token is through social engineering. This involves tricking the victim into running purpose-built malware tools such as Switcher that are usually distributed via email.

Once executed on the victim’s device, this malware installs a new token (belonging  to a new account created by the attacker) and moves the victim’s real token into a cloud sync folder. When the  victim’s device next syncs, it syncs the victim’s data to the attacker’s account instead of the victim’s.

In addition, the original account token is revealed to the attacker. At that point, the Switcher can be used to copy the original account token back to the victim’s machine and erase the malicious one, removing all traces of the security breach and leaving the attacker with full access to the victim’s account on any device.

How to protect against MitC attacks

The  nature of the MitC attack makes it very difficult to prevent with conventional security measures such as endpoint and perimeter protection. Yet there are several steps  that organisations can take to significantly minimise (or even eliminate) the chance of becoming a MitC victim.

  1. Conduct regular security training

One of the most effective security measures is also one of the simplest. As mentioned above, MitC attacks rely on social engineering to  be successful. Fortunately, a well-trained, vigilant employee is far less likely to click on a malicious link or a suspect attachment inside of a phishing email.  Security conscious organisations should conduct regular trainings with all of their employees in order to keep security top of mind and ensure they know the tell-tale signs of an attempted attack.

  1. Use encryption to protect cloud data

While encryption cannot prevent an MitC attack from occurring, it can prevent data breaches that may take place as a result. Provided the encryption keys are not also stored within the targeted cloud service, any data accessed through an MitC attack would remain encrypted to the attacker. This means that the stolen information would be indecipherable and unusable to the malicious party.

  1. Enable two-factor authentication

Multi-factor authentication (MFA), is another simple but effective way to help minimise the threat of MitC attacks. This authentication capability is available with leading cloud services (Office 365) as well as from specialised security solutions built to verify users’ identities across all of an organisation’s cloud-based resources. MFA adds an extra layer of security that can easily thwart an MitC attacker who doesn’t have the ability to authenticate beyond an OAuth token.

  1. Invest in a cloud access security broker (CASB)

One of the most comprehensive ways to protect against threats like MitC attacks is through the deployment of a CASB. These intermediate all traffic between an organisation’s cloud apps and endpoint devices – they automatically replace each app’s OAuth tokens with encrypted tokens before delivering them to endpoints.

As a device attempts to access a cloud app, the unique, encrypted token is presented to the CASB, which decrypts it and passes it along it to the app. Consequently, if a user’s token were to be replaced with a hacker’s, then the malicious token would fail validation and decryption at the proxy, denying  access to the intended victim’s account and nullifying the attack.


While detecting MitC threats with conventional security tools is virtually impossible, that doesn’t mean that organisations are defenceless. Regular  employee trainings, when combined with security measures like encryption, two-factor authentication, and CASBs, can provide an extremely robust defence against MitC attacks and countless other threats. In the modern business world, effective security isn’t a luxury, it’s a necessity. Any organisation that fails to remain prepared will inevitably suffer a breach.