Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1557.004: Evil Twin

Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or Input Capture.[1]

By using a Service Set Identifier (SSID) of a legitimate Wi-Fi network, fraudulent Wi-Fi access points may trick devices or users into connecting to malicious Wi-Fi networks.[2][3] Adversaries may provide a stronger signal strength or block access to Wi-Fi access points to coerce or entice victim devices into connecting to malicious networks.[4] A Wi-Fi Pineapple – a network security auditing and penetration testing tool – may be deployed in Evil Twin attacks for ease of use and broader range. Custom certificates may be used in an attempt to intercept HTTPS traffic.

Similarly, adversaries may also listen for client devices sending probe requests for known or previously connected networks (Preferred Network Lists or PNLs). When a malicious access point receives a probe request, adversaries can respond with the same SSID to imitate the trusted, known network.[4] Victim devices are led to believe the responding access point is from their PNL and initiate a connection to the fraudulent network.

Upon logging into the malicious Wi-Fi access point, a user may be directed to a fake login page or captive portal webpage to capture the victim’s credentials. Once a user is logged into the fraudulent Wi-Fi network, the adversary may able to monitor network activity, manipulate data, or steal additional credentials. Locations with high concentrations of public Wi-Fi access, such as airports, coffee shops, or libraries, may be targets for adversaries to set up illegitimate Wi-Fi access points.

EnterpriseT1557.004Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Evil Twin is a wireless adversary-in-the-middle behavior where a fraudulent Wi-Fi access point impersonates a legitimate or previously trusted SSID to lure users or devices onto an attacker-controlled network. Its business significance is that credential theft and data collection can occur outside traditional perimeter controls, especially in public Wi-Fi environments such as airports, coffee shops, libraries, or travel scenarios.

Executive priority

Treat this as a mobile workforce, executive travel, and wireless security risk rather than only a network engineering issue. Leaders should ask whether the organization can detect rogue or impersonating access points, whether users know how to report suspicious captive portals or certificate prompts, and whether incident response can investigate credential exposure after suspected malicious Wi-Fi use. The ATT&CK relationship to Adversary-in-the-Middle and the credential-access and collection tactics makes this relevant to identity risk, SOC readiness, and compliance evidence around wireless controls and user awareness.

Technical view

ATT&CK lists this sub-technique for Network Devices under credential-access and collection. SOC and detection engineering teams should validate coverage for impersonated SSIDs, suspicious BSSIDs, unexpected signal-strength patterns, rogue access point alerts, client associations to unauthorized Wi-Fi, and network activity that may follow a connection to a fraudulent access point. Because official detection text is not provided, the related detection strategy DET0379 should be treated as a validation target, not assumed coverage. IR teams should connect suspected Evil Twin events to possible follow-on behaviors referenced by ATT&CK, including Network Sniffing, Transmitted Data Manipulation, and Input Capture.

Likely telemetry

  • Wireless controller and managed access point logs for SSID, BSSID, client association, roaming, and signal-strength observations
  • Wireless intrusion detection/prevention or rogue AP scan results where deployed
  • Network device logs showing unexpected access point behavior or unauthorized wireless infrastructure
  • Client-side Wi-Fi connection history where available, including previously connected SSIDs and suspicious captive portal interactions
  • DNS, HTTP, proxy, and boundary network logs from sessions occurring after connection to suspicious Wi-Fi

Detection direction

  • Inventory legitimate SSIDs and expected BSSIDs so detections can distinguish authorized wireless infrastructure from impersonation attempts.
  • Validate whether the environment can identify duplicate SSIDs, rogue APs, abnormal signal strength, and clients joining unauthorized wireless networks.
  • Tune detections carefully: duplicate SSIDs and public Wi-Fi names can create noise, so prioritize alerts involving corporate SSIDs, managed-device associations, credential prompts, or travel/high-risk locations.
  • Correlate suspected Evil Twin activity with identity telemetry, unusual logins, password reset events, and web traffic that could indicate credential capture or data interception.
  • Use the ATT&CK relationship to APT28 as threat-intelligence context only; it supports that ATT&CK records group use, not that any local activity is attributable without separate evidence.

Mitigation priorities

  • Prioritize user training focused on recognizing suspicious Wi-Fi networks, fake captive portals, unexpected credential prompts, and certificate warnings, consistent with mitigation M1017.
  • Maintain wireless governance: define approved SSIDs, monitor for unauthorized or impersonating access points, and establish a reporting path for suspicious Wi-Fi.
  • Use network intrusion prevention or boundary inspection where applicable to block or alert on suspicious traffic after a device connects, consistent with M1031, while recognizing this may not detect the rogue access point itself.
  • Include suspected Evil Twin use in incident response playbooks: collect device connection history, review identity activity, and decide when credential resets are warranted.
  • For compliance and audit readiness, retain evidence of wireless monitoring, awareness training, and response procedures for rogue or impersonated access points.
Analyst notes and limits

The object is a sub-technique of T1557 Adversary-in-the-Middle and is mapped to credential-access and collection. ATT&CK notes that adversaries may use legitimate-looking SSIDs, stronger signal strength, interference with legitimate access, probe-request responses for preferred networks, fake login pages, captive portals, and custom certificates to support interception or credential capture. Relationships include DET0379 as a detection strategy and mitigations M1017 User Training and M1031 Network Intrusion Prevention.

Official ATT&CK detection text is not provided for this object, so detection guidance must be validated against local wireless architecture and available telemetry. The supplied platform is Network Devices; do not assume endpoint, cloud, or identity-platform visibility unless the organization collects and correlates that evidence. The APT28 relationship is an ATT&CK use relationship and does not establish attribution or active exploitation in any environment.

Official MITRE ATT&CK definition

Evil Twin

Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or Input Capture.[1]

By using a Service Set Identifier (SSID) of a legitimate Wi-Fi network, fraudulent Wi-Fi access points may trick devices or users into connecting to malicious Wi-Fi networks.[2][3] Adversaries may provide a stronger signal strength or block access to Wi-Fi access points to coerce or entice victim devices into connecting to malicious networks.[4] A Wi-Fi Pineapple – a network security auditing and penetration testing tool – may be deployed in Evil Twin attacks for ease of use and broader range. Custom certificates may be used in an attempt to intercept HTTPS traffic.

Similarly, adversaries may also listen for client devices sending probe requests for known or previously connected networks (Preferred Network Lists or PNLs). When a malicious access point receives a probe request, adversaries can respond with the same SSID to imitate the trusted, known network.[4] Victim devices are led to believe the responding access point is from their PNL and initiate a connection to the fraudulent network.

Upon logging into the malicious Wi-Fi access point, a user may be directed to a fake login page or captive portal webpage to capture the victim’s credentials. Once a user is logged into the fraudulent Wi-Fi network, the adversary may able to monitor network activity, manipulate data, or steal additional credentials. Locations with high concentrations of public Wi-Fi access, such as airports, coffee shops, or libraries, may be targets for adversaries to set up illegitimate Wi-Fi access points.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1557 Adversary-in-the-Middle This object subtechnique of Adversary-in-the-Middle.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0007: APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Relationship explorer

All related ATT&CK context

uses · Group G0007: APT28 Enterprise mitigates · Mitigation M1031: Network Intrusion Prevention Enterprise subtechnique of · Technique T1557: Adversary-in-the-Middle Enterprise mitigates · Mitigation M1017: User Training Enterprise detects · Detection Strategy DET0379: Detect Evil Twin Wi-Fi Access Points on Network Devices Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1017: User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
31f986820265c50d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 31f986820265…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Australia ‘Evil Twin’

    Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’ WiFi attack on plane. Retrieved September 17, 2024.

    Open source URL
  2. [2]
    Kaspersky evil twin

    AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent them. Retrieved September 17, 2024.

    Open source URL
  3. [3]
    medium evil twin

    Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin Attack. Retrieved September 17, 2024.

    Open source URL
  4. [4]
    specter ops evil twin

    Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September 17, 2024.

    Open source URL
  5. [5]
    mitre-attack T1557.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use