Microsoft Warns of Surge in Token Theft, Bypassing MFA

The Microsoft Detection and Response Team (DART) recently warned that attackers are increasingly using token theft to circumvent multi-factor authentication (MFA).

“By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly,” the team wrote in a blog post.

That’s particularly concerning, they noted, because the attack technique doesn’t require significant expertise, it’s difficult to detect, and few organizations are watching out for it.

AitM and Pass-the-Cookie Attacks

The two leading methods of token theft observed by DART are adversary-in-the-middle (AitM) frameworks and pass-the-cookie attacks.

In the case of AitM, the team warned, “Frameworks like Evilginx2 go far beyond credential phishing, by inserting malicious infrastructure between the user and the legitimate application the user is trying to access. When the user is phished, the malicious infrastructure captures both the credentials of the user, and the token.”

Depending on the privileges of the victim, the result can range from business email compromise (BEC) to total takeover of administrative control.

Pass-the-cookie attacks involve the compromise of browser cookies to access corporate resources. “After authentication to Azure AD via a browser, a cookie is created and stored for that session,” the team noted. “If an attacker can compromise a device and extract the browser cookies, they could pass that cookie into a separate web browser on another system, bypassing security checkpoints along the way.”

That’s a particular concern for personal devices. As more and more employees work remotely, DART warned, employees are increasingly accessing corporate resources from devices that lack strong security controls.

“Users on these devices may be signed into both personal websites and corporate applications at the same time, allowing attackers to compromise tokens belonging to both,” they wrote.

Commodity malware like Emotet, Redline, and IcedID all have built-in functionality to exfiltrate browser cookies. What’s more, DART noted, “the attacker does not have to know the compromised account password or the email address for this to work – those details are held within the cookie.”

Also read: The Challenges Facing the Passwordless Future

How to Respond to Token Theft

Key mitigations, according to DART, include maintaining full visibility into how and where all users are authenticating.

“Allowing only known devices that adhere to Microsoft’s recommended security baselines helps mitigate the risk of commodity credential theft malware being able to compromise end user devices,” they wrote.

For unmanaged devices, DART recommends reducing the lifetime of each session to shorten the length of time a given token is viable, and implementing Conditional Access App Control in Microsoft Defender for Cloud Apps.

For highly privileged users, DART also advises implementing phishing-resistant MFA solutions like FIDO2 security keys, Windows Hello for Business, or certificate-based authentication. Such users should also have a segregated cloud-only identity for admin activities.

If a user is compromised, DART noted, Azure AD provides the capability to revoke a refresh token, forcing the user to re-authenticate – though the token can still remain valid for up to an hour, giving the attacker access to the account until it expires.

DART also recommends checking any compromised user’s account for signs of persistence, such as added mailbox rules to forward or hide email, additional authentication methods added to MFA, additional device enrollment, and data exfiltration.

“Having visibility, alerting, insights, and a full understanding of where security controls are enforced is key,” the team wrote. “Treating both identity providers that generate access tokens and their associated privileged identities as critical assets is strongly encouraged.”

Read next:

Top Password Managers

Top Identity & Access Management tools

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles