Using widely shared hacking tools, many criminals are using sophisticated tactics which bypass what is thought to be modern, conventional IT security.
Due to the sluggish adoption of multi-factor authentication (MFA), many businesses that are just now catching up are still uninformed about conditional access.
This puts many businesses that operate in a hybrid environment or fully in the cloud at risk to the dangers of token theft, which bypasses strong two-factor password and app authenticator controls.
With this growing cybersecurity threat, adversaries are able to bypass traditional MFA controls and impersonate users to gain unauthorized access into your company files.
Because of its widespread use, Microsoft 365 is a main vehicle used to carry out such attacks.
Such attacks could put your business at risk of substantial financial loss, reputational damage, lost customers, and possible legal consequences.
In this article, you’ll discover how threat actors have been able to get around MFA security controls to carry out these sneak attacks with alarming precision and increasing frequency. You’ll also learn four ways you can help mitigate risk to falling prey to these stealth cyberattacks.
For starters, tokens are digital keys or identifiers that grant access to data, systems, and other secure resources.
Once a person enters their authentication information, a token is relayed (to the device, application, etc.). The user is then allowed to maintain access for extended periods without having to constantly re-enter their login credentials.
With token theft, also known as token hijacking, adversaries are able to impersonate users by stealing the encoded tokens, even if the person used MFA.
So, even though the user has passed the MFA authentication checkpoint, threat actors can still gain access with the stolen tokens.
This means that these types of cyberattacks happen without the user having any idea that their logins have been compromised. In addition, threat actors can delay an attack after gaining initial access to catch a victim off guard.
Although token theft often starts with a phishing scheme, this type of cyberattack has evolved to include various techniques.
Related Article: Windows 11 Update QR Code Phishing Scams: How To Spot Fake Emails
Besides phishing, tokens can be obtained through unsecured networks, software security bugs, malicious applications, or compromised internet connections. They can also fall into the wrong hands when a device with stored, unprotected authentication tokens is lost or stolen.
Once they’re able to exploit a weakness, attackers gain access to a gold mine of valuable, sensitive business and personal data that could put your company at risk.
Token theft can start off in several different ways.
They frequently start out as an adversary-in-the-middle attack (AiTM) phishing attack. This is a type of man-in-the-middle (MiTM) attack that tricks users into either logging into or being redirected to a fake website that looks identical to the real one.
Related Article: What Is An Adversary-in-the-Middle (AiTM) Phishing Attack?
With token theft, the attacker slyly intercepts the login authentication token that was previously saved in the browser as the user attempts to access the resource. What’s more, cybercriminals can also steal “refresh” tokens that grant extended access.
In this way, token theft can hijack a user’s permissions, allowing the attacker free reign to snoop through your documents, recordings and screenshots, email communications, financial and personal records, and proprietary business information, among other sensitive data.
Token theft can lead to a significant data breach, ransomware attack, identity theft, or potentially devastating financial loss.
For instance, what if you have recorded meetings of your senior leadership saved within your database? Your confidential business plans and competitive market strategies would then become accessible to threat actors looking to use the treasure trove of information for financial gain.
With the stolen access, attackers can send out a large number of scam messages from the target’s corporate email, allowing the attack to spread exponentially as more users within and outside your business are ensnared.
It can continue undetected even after an individual changes their passwords. Business owners and other C-suite executives are common targets of the scam, with emails being unknowingly sent to their contacts from their compromised email accounts.
Related Article: What Are The Pillars Of Zero Trust? How Zero Trust Architecture Works
According to Microsoft, 147,000 token replay attacks were detected by the company in 2023, represented a 111 percent year-over-year jump.
One factor that is fueling the increasing incidence of token theft is cloud computing. That’s because it opens up a potentially enormous virtual footprint for attackers to access databases, systems, applications, processes, and other critical information stored within your organization’s cloud infrastructure.
Token theft has become a growing concern among businesses large and small because of its high level of sophistication and deception. Even large enterprises have fallen prey to this troubling cybersecurity trend.
Since these cyberattacks are designed to happen without the user’s knowledge, anyone within your business can become an unwitting target and an involuntary participant with fake emails sent out from the individual’s email account.
So, what clues should you look for in token theft attacks?
Ensure that the email address from the sender is accurate.
Implementing proactive security controls can help defend against token theft.
Here are four security measures you can adopt now to strengthen your overall security posture and mitigate token theft:
One way you can protect your business against token theft is by implementing conditional access policies. These policies set the rules or conditions that allow a user to log into a Microsoft application, such as Outlook, SharePoint, or OneDrive.
With conditional access, suspicious or risky sign-ins might require the user to re-authenticate their identity to gain access.
Since many businesses use Microsoft 365—a common token theft target—conditional access provides a more secure way to allow access to your network and other company resources.
Administrators within your IT team can configure access controls for your organization, aligned with your other cybersecurity measures, to restrict access to your digital resources based on user verification and authorization.
Related Article: What Does Vulnerability Scanning Tell You About Your Network Security?
Microsoft has a security feature which prompts users to enable MFA to combat token theft. These campaigns are designed to prompt users to sign up for Microsoft’s authentication service while logging into a Microsoft application.
Your company’s plan administrator, or managed IT provider, can set up the user authentication policies to allow for push notifications, key-based verification for passwordless logins, or other verification methods.
It’s important for companies to understand what registration campaigns they have active, and which are not currently active.
Since human error is responsible for the overwhelming majority of data breaches, it’s critical that you educate your employees on token theft, various kinds of phishing attacks, domain hijacking, DNS spoofing, and other commonly used tactics.
This way, they’ll know what to watch out for to avoid these scams, as well as what your company’s protocol is for reporting a suspected incident.
It’s also important to educate your staff on how to properly use and store tokens, such as using them only over encrypted networks, to prevent the token from being stolen in transit.
Related Article: Why Employee Security Awareness Training Helps Prevent Cyber Incidents
A security information and event management system that continuously scans your data, devices, applications, servers, and other parts of your infrastructure for unusual activity.
It can detect potential threats in real-time, sending alerts to your team. A SIEM can help mitigate data breaches, malware attacks, or other security risks.
There’s no escaping the fact that threat agents are using increasingly sophisticated tactics to sneak into your network undetected to exploit even the smallest cybersecurity weaknesses.
If you’re feeling frustrated to learn that threat actors have found a work-around to bypass the MFA cybersecurity controls you put in place to block them—we get it.
But don’t be discouraged. There are things you can do to strengthen your security posture and help reduce the chances of a cybersecurity incident like a data breach or ransomware attack.
If you don’t have an in-house team of IT professionals with the expertise to implement the right security measures for your business, you might benefit from using a managed IT services provider (MSP).
If you're searching for an MSP, we encourage you to weigh several options before deciding on a company to ensure you choose a company with the specialized skills and experience to offer expert cybersecurity planning, budgeting, and implementation strategies.
We write articles like this to provide useful information to allow small and medium-sized businesses make the best IT-related decisions for their organizations, whether you choose to work with us or not.
Do you know how secure your environment is? Use our cybersecurity checklist to see how prepared you are to fight against ever-lurking cybercriminals.