[jessaustin]

If the MITM can do that, it doesn't need to attack cookies does it? It can just impersonate the remote site and steal user-entered credentials. Sharp-eyed users or up-to-date browsers might notice the lack of https for popular sites, and also 2FA, but in general e.g. a malicious WAP has many options.

Or I could be very wrong about this. Please advise.

[tptacek]

No, the MITM can be choosy about what traffic it relays and allow the attack to run without causing any of the connections to complete. Think network-layer MITM instead of transport-layer MITM.