Token theft: how cybercriminals are bypassing multi-factor authentication

Share This Post

What it is, what it does, and how you can prevent it.  

Multi-factor authentication (MFA) has become a core security component for businesses the world over, and is increasing in popularity. In 2017, only 28% of online accounts used MFA, whereas in 2021 this number had increased to 78% (according to Zippa). That increase is a positive step in the right direction for a more secure online presence, with many organisations adopting it in an effort to deter cybercrime.

However, cybercriminals have developed a technique for bypassing MFA without raising any alarms. This increasingly used method is known as token theft, a threat that businesses and employees need to be aware of in order to prevent it – especially those who work remotely or hybrid.

Along with the many benefits of hybrid working, there are unfortunately some disadvantages too, especially when it comes to security. If your employees access corporate resources from a personal or unmanaged device or one that is not even visible to corporate IT, their risk of token theft is increased. These users may have weaker security, with a higher chance of cybercriminals gaining access to their data – especially if they’re signing in to both personal websites and corporate applications.

Thankfully, there are ways to prevent token theft.

How does multi-factor authentication work? 

When logging on to an online account, you are required to authenticate who you are. Until recent times, a simple username (often just an email address) and password has been sufficient. However, this is not the safest method anymore. If another person was to acquire this information, they could access your online accounts very easily and without resistance.

However, multi-factor authentication makes this much harder. Also known as ‘two-step verification’, MFA requires that the user provide another ‘factor’ to prove their identity if signing into an account for the first time on a new device or app. 

The most common ‘factors’ are:

  • A factor you know (password or pin code)
  • A factor you have (a smartphone or secure USB key) 
  • A factor you are (fingerprint or facial recognition)  

What is token theft?

Token theft is a technique used by cybercriminals to satisfy multi-factor authentication and grant themselves access under the guise of a legitimate user. Meaning cyberattacks can be rolled out despite extra security measures put in place by organisations. 

This relatively new technique has reportedly been used for lateral movement once a cybercriminal has gained access into a network. It’s highly effective, so, it’s no surprise that the Microsoft Detection and Response Team (DART) has seen such an increase in its use. In fact, token theft was the method for almost all of the most famous attacks reported since 2014 (source).

The main concerns here is that the skill levels needed to carry out token theft are low, it’s very hard to detect, and few organisations have included token theft mitigations in their business incident report plans. 

How does token theft work? 

When a legitimate user passes multi-factor authentication, an access token is generated. Access tokens are kernel objects used by Windows applications and they contain not only the unique identifiers for a user in the system, but also important information such as access rights, groups, privileges, process integrity levels, and more. 

Within this token, Windows selects which system resources the user may or may not access, as well as which tasks they can complete, by wielding the user’s identification, access rights and security. 

Therefore, when a cybercriminal partakes in token theft – stealing these access tokens – they are able to use these tokens to satisfy multi-factor authentication and gain access to the user’s online accounts and access rights.

How to prevent token theft 

Organisations can significantly reduce the risk of becoming a victim to token theft by following three steps: protect, detect, respond & investigate. 

1. Protect

To protect your system from unauthorised access, we recommend that you: 

  • Have full visibility of how and where your users are authenticating
  • Ensure devices are up-to-date with patches, antivirus, and EDR solutions 
  • Only use devices knows by the company
  • For unmanaged devices, consider session conditional access – this reduces the viable time of a token
  • Only allow devices that adhere to Microsoft’s recommended security baselines

2. Detect

Thankfully, there are technologies that can detect when token theft may be happening. 

When a token is replayed, anomalous features and impossible travel alerts may be flagged. Solutions such as Azure Active Directory Identity Protection and Microsoft Defender for Cloud Apps both alert on these events, ensuring that genuine token theft is caught and never missed.

3. Respond & investigate

If it is confirmed that a token has been stolen and the user is therefore compromised, there are several steps DART recommends in order to evict the threat actor. 

The token must be revoked, making it no longer valid. The user will then need to re-authenticate as their original token has expired. 

Microsoft DART also recommend checking the user’s account for signs of persistence from the cybercriminal, such as: 

  • Mailbox rules – threat actors are known to create specific mailbox rules, hiding or forwarding emails.
  • Mailbox forwarding – they may set up a rule to forward a copy of every email to an external address.
  • Multi-factor authentication modification – threat actors sometimes register additional authentication methods.
  • Device enrolment – DART has experienced threat actors adding a device to an Azure AD tenant the criminal is in control of.
  • Data exfiltration – threat actors may share important information and documents to external resources using the inbuilt sharing functionality in SharePoint and OneDrive. 

Protect your organisation from token theft

Protecting your tokens is the first step to significantly improving your security. With cybercriminals adapting and developing their techniques, businesses must stay one step ahead. 

If you’d like to discover how SupPortal can help you to protect your business and assets against token theft, chat to us at 02380 982218. 

More To Explore

Do You Want To Boost Your Cyber Security?

drop us a line and keep in touch

Request a Free Consultation And Estimate

DEFEND & PRotect Terms & Conditions

Subscription pricing subject to annual commitment, billed monthly by direct debit.

* Minimum of 10 user subscription, pricing will vary over and above, price shown is per user per year
** Link your own policies to specific video content to reinforce employee understanding of your policies and processes.