Email account takeover replacing man-in-the-middle attacks as a major cybersecurity threat

Email Account Takeover Replaces Man-in-the-Middle Attacks: What You Need to Know

September 05, 2025 / in Blog / by Zafar Khan, RPost CEO

The Proverbial Cybersecurity “Man-in-the-Middle” Attack Not In Vogue Anymore...

Hey there, Rocky the Raptor here, swooping in to chat about a big shift in the world of cyber threats. Back in the day, companies (especially law firms) worried a lot about what we used to call a “Man-in-the-Middle” attack.

It was a pretty easy concept to explain. Imagine sending an email without protection. It was like mailing a postcard; every stop along the way, every server or system, could read it. If a cybercriminal happened to be hanging out along the route, they could snoop on the message and grab your sensitive information.

Email Encryption to the Rescue (Mostly)

Then came email encryption. With encryption, your emails are no longer postcards; they’re now securely sealed envelopes. Today, most companies encrypt emails as they travel from one server to another, keeping prying eyes at bay.

Quick reality check: Not every company does this right, and some only use what’s called “opportunistic TLS.” That’s a fancy way of saying, “We try to send it encrypted, but no promises.” We’ll save that rabbit hole for another day.

The bottom line? If your email is encrypted in transit, it’s really hard for cybercriminals to intercept and read it. So, they’ve moved on to a sneakier approach.

Exit “Man-in-the-Middle.” Enter “Email Account Compromise.”

Rather than fighting through encrypted walls, cybercriminals figured out something smarter: why not just take over an email account?

These cybercriminal groups, or cabals as we prefer to call them, have become exceptionally skilled at breaking into accounts. Once inside, they quietly reroute copies of sensitive emails to their own servers, often hosted on rented virtual private servers (VPS) from common cloud providers. 

It’s like planting a spy inside the conversation rather than eavesdropping from the outside.

They’re especially clever about targeting smaller organizations or third parties connected to bigger ones. Think in terms of a law firm:

  • Big law firm with a rock-solid IT team? Hard target.
  • Opposing side’s smaller firm with just a basic email setup? Easy pickings.

Guess which one the cybercriminals go after first? Yep, the smaller one.

Context Before the Strike

Cybercriminals want context — who’s talking to whom, about what, and when.

Once they have that intel, they feed it into AI tools that help them create hyper-realistic, hyper-targeted impersonation emails. These emails don’t just look legit; they feel legit. And that’s when mistakes happen, like misdirected payments or leaked secrets.

Here’s a jaw-dropper. A family investment office in California recently fell victim to a $125 million real estate scam. Cybercriminals impersonated two different lawyers from two separate firms, emailing back and forth to create a believable paper trail. Several investors were tricked, and the criminals walked away with the cash.

The FBI reports billions in annual losses from scams like these. Groups like Black Axe (Nigeria) and Fancy Bear, FIN7, and FIN11 (Russia) are running these operations like well-oiled businesses.

Why Traditional Security Isn’t Enough

Here’s the thing: most cybersecurity tools only kick in after the attack has started — once the damage is already happening. That’s like locking the barn door after the raptor has escaped (trust me, bad idea).

To fight back, you need to see the danger before it strikes, even if it’s happening outside your internal systems.

Modern Cybersecurity = Playing Offense

Here’s what cutting-edge security looks like today:

  1. Spotting Threats Beyond Your Walls

See cybercriminal activity outside your company network, before it turns into an attack.

  1. Identifying Leaky Third Parties

Figure out which external partners are leaking sensitive information.

  1. Catching Insider Leaks (Naive or Nefarious)

Whether it’s accidental or malicious, stop sensitive data from slipping out.

  1. Tracking the Source

Link leaked data back to specific people, content, and even the cybercriminal groups involved.

  1. Auto-Remediation — Like a Digital “Kill Switch”

Instantly kill access to sensitive content before the wrong person sees it. Even better, keep proof that it was killed to reduce reporting headaches and regulatory fallout.

Remember - in sports and in cybersecurity, the best defense is a strong offense. Get in touch if you wish to learn more!