Microsoft: Hackers are using this ‘concerning’ tactic to dodge multi-factor authentication

Share:

Microsoft says token theft attacks are on the rise. Here’s what you need to do to protect yourself.

 

 

Microsoft has outlined several mitigations to protect against attacks on multi-factor authentication that will unfortunately make life more difficult for your remote workers.

Three years ago, attacks on multi-factor authentication (MFA) were so rare that Microsoft didn’t have decent statistics on them, largely because few organisations had enabled MFA.

But with MFA use rising as attacks on passwords become more common, Microsoft has seen an increase in attackers using token theft in their attempts to sidestep MFA.

security

In these attacks, the attacker compromises a token issued to someone who’s already completed MFA and replays that token to gain access from a different device. Tokens are central to OAuth 2.0 identity platforms, including Azure Active Directory (AD), which aim to make authentication simpler and faster for users, but in a way that’s still resilient to password attacks.

Also: Cybersecurity jobs: Five ways to help you build your career

Moreover, Microsoft warns that token theft is dangerous because it doesn’t require high technical skills, detection is difficult and, because the technique has only recently seen an uptick, few organisations have mitigations in place.

“Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose,” Microsoft says in a blogpost.

“By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan.”

When accessing web applications shielded by Azure AD, the user needs to present a valid token, which they can get after signing into Azure AD using their credentials. Admins can set policy to require MFA to sign into an account from a browser. The token issued to the user is presented to the web application, which validates the token and opens up access.

“When the user is phished, the malicious infrastructure captures both the credentials of the user, and the token,” Microsoft explains.

If both credentials and the token are stolen, the attacker can use these for numerous attacks. Microsoft highlights business email compromise, which is the largest cause of cybercrime financial losses today.

Also: Technology spending will rise next year. And this old favourite is still a top priority

Microsoft also warns of “Pass-the-cookie” attacks, where an attacker compromises a device and extracts browser cookies that are created after authentication to Azure AD from a browser. The attacker passes the cookie to another browser on another system to bypass security checks.

“Users who are accessing corporate resources on personal devices are especially at risk. Personal devices often have weaker security controls than corporate-managed devices and IT staff lack visibility to those devices to determine compromise,” Microsoft notes. This is a greater risk for remote workers who use personal devices.

To counter the threat of token theft attacks on MFA, Microsoft recommends shortening session and token lifetimes, though this has a convenience cost to the user. Mitigations include:

  • Reducing the lifetime of the session increases the number of times a user is forced to re-authenticate
  • Reducing the viable time of a token forces threat actors to increase the frequency of token theft attempts
  • Microsoft recommends implemeting Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices

Microsoft also recommends implementing FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for users.

Users with high-level privileges, such as the Global Domain admin, should have a segregated cloud-only identity. This will help reduce the attack surface from on-premises to cloud if an attacker compromises on-premises systems. These identities should not have a mailbox attached to them, Microsoft said.

“We recognize that while it may be recommended for organizations to enforce location, device compliance, and session lifetime controls to all applications it may not always be practical,” Microsoft notes.

https://www.zdnet.com/article/microsoft-hackers-are-using-this-concerning-tactic-to-dodge-multi-factor-authentication/

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
1:30 pm, Jul 11, 2025
weather icon 30°C
L: 28° | H: 32°
few clouds
Humidity: 41 %
Pressure: 1020 mb
Wind: 6 mph NNE
Wind Gust: 9 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 13%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:56 am
Sunset: 9:15 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
28° | 32°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
18° | 30°°C 0 mm 0% 9 mph 65 % 1018 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
17° | 27°°C 0 mm 0% 7 mph 73 % 1014 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
20° | 29°°C 0 mm 0% 14 mph 71 % 1017 mb 0 mm/h
Tue Jul 15 10:00 pm
weather icon
15° | 27°°C 0 mm 0% 13 mph 71 % 1021 mb 0 mm/h
Today 4:00 pm
weather icon
30° | 31°°C 0 mm 0% 5 mph 37 % 1019 mb 0 mm/h
Today 7:00 pm
weather icon
28° | 28°°C 0 mm 0% 5 mph 32 % 1018 mb 0 mm/h
Today 10:00 pm
weather icon
22° | 22°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 1:00 am
weather icon
18° | 18°°C 0 mm 0% 4 mph 55 % 1018 mb 0 mm/h
Tomorrow 4:00 am
weather icon
19° | 19°°C 0 mm 0% 4 mph 65 % 1018 mb 0 mm/h
Tomorrow 7:00 am
weather icon
19° | 19°°C 0 mm 0% 6 mph 64 % 1018 mb 0 mm/h
Tomorrow 10:00 am
weather icon
24° | 24°°C 0 mm 0% 6 mph 45 % 1017 mb 0 mm/h
Tomorrow 1:00 pm
weather icon
28° | 28°°C 0 mm 0% 7 mph 30 % 1015 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€100,979.92
6.47%
Ethereum(ETH)
€2,555.34
7.74%
Tether(USDT)
€0.86
-0.01%
XRP(XRP)
€2.26
7.92%
Solana(SOL)
€140.32
4.29%
USDC(USDC)
€0.86
-0.01%
Dogecoin(DOGE)
€0.170457
10.61%
Shiba Inu(SHIB)
€0.000011
8.20%
Pepe(PEPE)
€0.000011
15.71%
Peanut the Squirrel(PNUT)
€0.248573
19.26%
Scroll to Top