Skip to main content

Half of MSPs Saw Token Theft Last Year. Five Controls Break the Attack at Every Stage

Nick Ross5 min read

TL;DR

  • In a July 2025 webinar poll of 259 registrants, 51% reported a token theft incident in the past year.
  • Token theft via AiTM phishing captures the session token after the user completes MFA, so MFA alone does not stop it.
  • A Conditional Access policy requiring a managed device prevents the token from being harvested on the adversary-in-the-middle page in the first place.
  • Post-breach persistence relies on three moves you can block: registering new MFA methods, consenting to rogue apps, and creating inbox rules.
  • Automated response to risk detections sits behind Entra ID P2 and E5 licensing; on lower tiers a high-risk user triggers no action by default.

We polled the 259 people who registered for a July 2025 webinar on token theft with one question: how many of you have had a token theft incident in the past year? 51% said yes.

Webinar poll showing 51% of respondents experienced a token theft incident

That number is the reason this attack deserves a defense-in-depth treatment rather than a single fix. The good news: token theft via adversary-in-the-middle (AiTM) phishing is a chain of dependent steps, and every link in that chain can be audited, tracked, or blocked. This article, a summary of that webinar, walks the kill chain and then the five protections we would prioritize to break it.

How the attack actually works

Token theft via AiTM starts with a phishing email that directs the user to a legitimate-looking Microsoft sign-in page. The user enters credentials, fulfills MFA, and is redirected to the real website, none the wiser. The attacker, sitting in the middle, harvests the session token, which can be replayed on a different device to take over the account. Think of a theme park visitor handing their identity to a fake ticket office: the attacker takes the ticket and rides everything in the park. These attacks are commonly simulated with the Evilginx framework.

The phishing lure takes many forms, but a common one replicates a legitimate-looking OneDrive or SharePoint sharing email with the man-in-the-middle link embedded:

Example phishing email impersonating a SharePoint file share

What happens after the token is stolen

Attack continuation paths after initial token compromise

Goals vary, but after compromise the attacker typically works toward some form of business email compromise leading to:

  • Financial loss (tricking users into wiring money to a fraudulent bank)
  • Data loss (downloading sensitive information or IP)
  • Ransomware

To get there, the attacker usually needs intermediate moves:

  • Hiding their presence
  • Maintaining persistence (token session lifetimes are limited)
  • Moving laterally, compromising other accounts
  • Running more phishing campaigns from the newly compromised account
  • Exfiltrating data

Every one of those actions can be audited, tracked, or blocked. That is the defense-in-depth opportunity.

Mapping the defenses before choosing them

Token theft protections mapped to the NIST Cybersecurity Framework

There are many protections that interrupt this attack, and availability varies by license. We have covered the reactive side in a separate post on incident response for token theft. This article stays on the prevention side: the posture that stops the attack before the response playbook is ever needed. Rather than walking every control on the map, here are the five we would put in place first.

The five controls, in order of the kill chain

1. Tune Defender for Office 365 so the lure never lands

Ideally the phishing email never reaches the inbox and there is no link to click. Review:

2. Block the AiTM infrastructure with web filtering

This control requires devices enrolled in Defender for Business or Defender for Endpoint. Block newly registered domains and parked domains, the categories attackers typically use when standing up Evilginx and other AiTM infrastructure.

Web content filtering in Defender for Endpoint (opens in new tab)

Web content filtering policy blocking newly registered domains

3. Make the token worthless: require a managed device

In our view this is the most important and most powerful layer. We have published a full breakdown of recommended Conditional Access policies, but the most achievable for most organizations and MSPs is requiring a managed device. This policy prevents the token from being harvested through the AiTM page at all.

4. Cut off the persistence playbook

If an attacker does harvest a token, they will usually try to stay in by:

  • Registering a device or another MFA method (in the AiTM flow they captured the password too)
  • Registering an application (a new identity with its own permissions to act through)
  • Setting up inbox rules (hiding their presence during reconnaissance or while phishing other users)

To combat this:

5. Automate the response you would otherwise do at 2 a.m.

The final layer is automation for the common incident response moves: suspending the account, rotating passwords, rotating sessions. This is where you hit what we would call the Microsoft Paywall Problem for SMB: automated response features are gated primarily behind Entra ID P2 and E5. On lower tiers, a user detected as high risk in Entra triggers no automated action at all, which is why many MSPs lean on tools like Huntress or Blackpoint to act on their behalf. To be clear, this layer is defense in depth; the Conditional Access policy in step 3 stops the token harvesting up front.

If the tenant has P2, E5, or the E5 Security add-on that bolts onto business plans, configure:

Automated attack disruption acting on a compromised account

Checking a tenant against this list, automatically

At CloudCapsule, we built a Token Theft Playbook that automates a tenant assessment against these protections. The output can be branded and used as a client-facing document to scope an uplift project:

CloudCapsule Token Theft Playbook assessment view
CloudCapsule Token Theft Playbook report output

Half the MSPs we polled have already lived this attack. The five layers above decide whether the next attempt ends at a blocked email, a worthless token, or a wire transfer.

Frequently asked questions

Does MFA stop token theft via AiTM phishing?

No. In the AiTM flow the user completes MFA on what they believe is the real Microsoft page, and the attacker captures the resulting session token. The token is then replayed from the attacker's device, inheriting the authenticated session.

What is the single most effective policy against AiTM token theft?

A Conditional Access policy requiring a managed device. It prevents the session token from being harvested through the adversary-in-the-middle page and blocks replay from unmanaged attacker devices.

Why do MSPs use tools like Huntress or Blackpoint for this?

Automated responses to risk, such as suspending accounts or rotating sessions, are gated behind Entra ID P2 and E5 licensing. Third-party tools fill that gap on lower license tiers by taking those actions on the MSP's behalf.

Audit a tenant against the token theft playbook

CloudCapsule's Token Theft Playbook scans a tenant for these exact protections and produces a branded, client-facing report you can use to scope the uplift project. 250+ controls, about 60 seconds.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading