A technique to protect a cloud database located at a database server and accessible from a database client. In this approach, a communication associated with a database session is intercepted. A hostname or network address associated with the communication is then evaluated to determine whether such information can be found in or otherwise derived from data in a database protocol packet associated with the database session. The information typically is placed there unavoidably by the cloud database client and normally cannot be spoofed by a process that does not understand or speak the proper database protocol semantics. Upon a mismatch, the database session is flagged as being potentially associated with a man-in-the-middle (MITM), in which case a given action may then be taken with respect to the database session that is then active. The technique provides for a MITM checkpoint in a cloud database service environment.