Skip to main content

Your MFA Rollout Did Not Solve Token Theft. Start With These Four Policies

Nick Ross4 min read

TL;DR

  • As of October 2024, token theft attacks against Microsoft 365 have surged over 111% year over year.
  • Once an attacker steals a session token, they bypass MFA entirely and act as the legitimate user without ever touching the password.
  • Device compliance policies reduce the chance a token gets stolen in the first place, but they do not stop a stolen token from being replayed.
  • Strict location enforcement with Continuous Access Evaluation blocks replayed tokens immediately, instead of waiting out the default one-hour token lifetime.
  • Token protection, in preview with an Entra P2 requirement, binds session tokens to a device so they fail when replayed elsewhere.

The uncomfortable part of a token theft investigation is explaining to the client that their MFA worked exactly as designed, and the attacker got in anyway. Token theft, also called token replay, has grown over 111% year over year as of October 2024, and it is one of the fastest-growing threats in the Microsoft 365 ecosystem precisely because it sidesteps the control everyone trusts most.

This post covers what a session token is, how attackers steal and replay them, what the business is risking, and the four foundational policies we deploy to protect against the attack.

What a session token actually grants

A session token is a digital badge proving you already authenticated to Microsoft 365 resources like email, SharePoint, or Teams. Once issued, the token lets you keep using those resources without re-entering your username, password, or MFA code every time.

That convenience is the vulnerability. The badge is the credential. Think of a hotel keycard: the front desk checks your ID once, hands you the card, and from then on every door only checks the card. Steal the card and nobody at the door asks for ID again. Token theft works the same way: the attacker hijacks the user's authentication token and gains access to their account without needing credentials, and without triggering MFA, because the MFA check already happened when the token was issued.

How the token leaves the building

Attackers steal tokens by:

  • Installing malware on a user's device
  • Grabbing session cookies from web browsers like Chrome
  • Using phishing techniques to capture the tokens in transit

Once they have the token, they replay it from their own device, and to Microsoft 365 they look like the legitimate user.

Diagram of a token theft and replay attack against Microsoft 365

What the attacker does with the access

With a working stolen token, the attacker can:

  • Access corporate resources: email, documents, Teams
  • Move laterally by sending internal phishing emails to other employees
  • Exfiltrate sensitive data such as intellectual property or confidential customer information
  • Set up inbox rules to forward sensitive emails, a staple of data exfiltration

The downstream costs are the usual triad: financial losses, reputational damage, and legal liability. So what should the defense look like?

Policy 1: Enforce device compliance

One of the best ways to mitigate token theft is allowing only compliant devices to reach corporate resources, meaning any device accessing Microsoft 365 must meet your security standards: antivirus protection, Intune enrollment, proper encryption.

Use device management plus Conditional Access policies that require a compliant device. The compliance settings we recommend specifically to reduce successful token theft from devices:

  • Require Windows users to run as standard users rather than with device admin rights, and require up-to-date anti-malware and antivirus tools, to reduce accidental infection with token-stealing malware
  • Use storage encryption to protect device content, including tokens, if the device itself is stolen
  • Enable Local Security Authority (LSA) protection to defend Entra ID tokens held in LSA memory. LSA protection is on by default for new devices and can be enabled for the rest via Intune
  • Use jailbreak and rooting detection for mobile devices, since jailbroken devices are more likely to expose tokens and cryptographic secrets

Reference: Managed Devices shall be required for authentication, Tminus365 Docs (opens in new tab)

Be clear about the limit: this policy does not prevent or stop a token from being replayed. It only reduces the chance the theft happens in the first place.

Policy 2: Strict location enforcement with Continuous Access Evaluation

The second layer limits access to Microsoft 365 based on trusted locations, such as the corporate network or a VPN. Even with a stolen token, the attacker cannot reach corporate resources unless they connect from an approved location.

The strict-enforcement variant matters here. Standard Continuous Access Evaluation still leaves you exposed to the default token lifetime of one hour. Strict location CAE enforces your trusted locations immediately: if a user's token or cookie is stolen in an AiTM or pass-the-cookie attack and replayed from outside a trusted location, the attacker is blocked on the spot rather than enjoying the remainder of the token's lifetime.

Policy 3: Bind tokens to the device

For more advanced protection, enable token binding, which ties session tokens to a specific device. A token stolen from one machine and replayed on another simply does not work. The feature is in preview as of October 2024, and it is a strong answer to attackers using stolen tokens from their own hardware.

Details and licensing: Public Preview: Token Protection for Sign-In Sessions, Microsoft Community Hub (opens in new tab) (requires an Entra P2 license).

Policy 4: Block risky sign-ins backed by CAE

Continuous Access Evaluation also monitors session activity and re-evaluates the session's security periodically. Suspicious activity, such as a sudden change in location, forces a re-authentication that can catch an attacker mid-session.

With Entra P2 licensing, the risk engine evaluates many more detection data points, and you can build Conditional Access policies that block sign-in outright when detected risk is medium or high:

No single policy closes the gap

None of these four is sufficient alone, and that is the point: device compliance shrinks the theft surface, strict location and token binding neutralize replay, and risk-based blocking catches what slips through. Layered together, they take token theft from an MFA bypass that works quietly for an hour to an attack that fails loudly at the first door. Deploy them in that spirit, and verify they stay deployed.

Frequently asked questions

Does MFA protect against token theft?

Not by itself. MFA protects the authentication moment, but a session token is issued after authentication succeeds. An attacker who steals that token replays it from their own device and never sees an MFA prompt.

What licensing do these protections require?

Device compliance needs Intune, which Business Premium includes. Strict location CAE works with Entra P1. Token protection and the richer risk detections both require Entra P2 as of October 2024.

Which of the four policies stops a token that has already been stolen?

Strict location enforcement and token binding act on the replay itself. Device compliance and risk-based blocking reduce the odds of theft and catch suspicious sessions, but they do not invalidate a token already in an attacker's hands.

Are the anti-replay policies live in every tenant you manage?

Each of these four protections is a Conditional Access policy that can be missing or quietly disabled. CloudCapsule scans your tenants against 250+ CIS-mapped controls in about 60 seconds and flags exactly where token theft defenses are absent.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading