In these attacks, the attacker compromises a token issued to someone who's already completed MFA and replays that token to gain access from a different device. Tokens are central to OAuth 2.0 identity platforms, including Azure Active Directory (AD), which aim to make authentication simpler and faster for users, but in a way that's still resilient to password attacks.
Moreover, Microsoft warns that token theft is dangerous because it doesn't require high technical skills, detection is difficult and, because the technique has only recently seen an uptick, few organisations have mitigations in place.
"Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose," Microsoft says in a blogpost.
"By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan."
When accessing web applications shielded by Azure AD, the user needs to present a valid token, which they can get after signing into Azure AD using their credentials. Admins can set policy to require MFA to sign into an account from a browser. The token issued to the user is presented to the web application, which validates the token and opens up access.
"When the user is phished, the malicious infrastructure captures both the credentials of the user, and the token," Microsoft explains.
If both credentials and the token are stolen, the attacker can use these for numerous attacks. Microsoft highlights business email compromise, which is the largest cause of cybercrime financial losses today.
Microsoft also warns of "Pass-the-cookie" attacks, where an attacker compromises a device and extracts browser cookies that are created after authentication to Azure AD from a browser. The attacker passes the cookie to another browser on another system to bypass security checks.
"Users who are accessing corporate resources on personal devices are especially at risk. Personal devices often have weaker security controls than corporate-managed devices and IT staff lack visibility to those devices to determine compromise," Microsoft notes. This is a greater risk for remote workers who use personal devices.
To counter the threat of token theft attacks on MFA, Microsoft recommends shortening session and token lifetimes, though this has a convenience cost to the user. Mitigations include:
Reducing the lifetime of the session increases the number of times a user is forced to re-authenticate
Reducing the viable time of a token forces threat actors to increase the frequency of token theft attempts
Microsoft recommends implemeting Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices
Microsoft also recommends implementing FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for users.
Users with high-level privileges, such as the Global Domain admin, should have a segregated cloud-only identity. This will help reduce the attack surface from on-premises to cloud if an attacker compromises on-premises systems. These identities should not have a mailbox attached to them, Microsoft said.
"We recognize that while it may be recommended for organizations to enforce location, device compliance, and session lifetime controls to all applications it may not always be practical," Microsoft notes.