Logo Akuity SOC
Akuity SOC
CYBERSECURITY
Identity Management (Entra ID)

Token Theft: The attack that bypasses Entra ID’s MFA

5 min de lecture Akuity SOC · Delphisoft Deutschland

Double authentication is no longer enough in the face of session token theft (Token Theft). Find out how to revoke Entra ID sessions in 1 click.

Two-factor authentication (MFA) has long been considered a cybersecurity panacea. However, compromises targeting the Microsoft Entra ID environment have never been more numerous. The reason is simple: professional cybercriminals no longer try to guess your employees' passwords, they directly steal already authenticated sessions.

This formidable technique, known asToken Theft(or session token theft), allows an attacker to bypass MFA in a completely transparent manner. Faced with this dazzling threat, the manual reaction of IT teams is often too slow. Learn how this attack works and how to instantly neutralize it with a SOAR approach.

What is a Session Token?

When a collaborator connects to their Microsoft 365 environment (Outlook, Teams, SharePoint), they enter their password and validate a notification on their Microsoft Authenticator application. Once this multi-factor verification is successful, Entra ID delivers to the browser asession tokenin the form of a secure cookie.

This token acts as a temporary access badge. It is thanks to it that the user does not need to retype their password or revalidate their MFA each time they open a new tab or refresh their inbox. The problem is obvious: if a hacker manages to copy this "badge", he obtains the same access rights as the legitimate user, without ever needing to trigger an MFA alert.

How do attackers steal these tokens?

Cybercriminals mainly use two vectors to recover these valuable authentication cookies:

  1. AiTM (Adversary-in-the-Middle) Phishing:The user receives an email inviting them to log in to a fake Microsoft portal. This portal acts as an invisible proxy. The user types their password and validates their MFA. The fake portal transmits this information to the real Microsoft server, retrieves the valid session token, stores it in memory for the hacker, and then logs the user in as if nothing had happened.
  2. Infostealers (information-stealing malware):User downloads legitimate booby-trapped software. In the background, malware (like RedLine or Vidar) silently sucks up cookie databases stored in Google Chrome or Edge and then sends them to a command server (C2).

The limits of manual response on the Azure portal

Once the token is stolen, the attacker will import it into his own browser. He often connects from a foreign VPN, which triggers an "Impossible Travel" or connection from an anonymized network (Tor node) alert in Microsoft Entra ID Protection.

This is where the race against time begins. For a traditional system administrator, remediation is an obstacle course. One has to log in to the Azure portal, navigate to the Entra ID users tab, find the compromised user, find the option to revoke sessions (which takes time to sync), and then manually force their password to be reset.

During these 15 minutes of latency (MTTR), the attacker has already had time to create email redirection rules to exfiltrate invoices or download confidential documents from SharePoint.

The solution: 1-Click Session Revocation

To counter an asymmetric attack, your response must be algorithmic. The vital command in the Microsoft Graph ecosystem isrevokeSignInSessions. It immediately invalidates all refresh tokens linked to an account, forcing an immediate logout and forcing any new requests to go through the full authentication process (Password + MFA) again.

With a response orchestrator likeAkuity SOC, the approach is drastically simplified.

  1. JIT detection:As soon as Entra ID Protection detects an anomaly linked to token theft, the analyst visualizes the risk in the “Identities at Risk” tab of Akuity, thanks to real-time (Just-In-Time) recovery of weak signals.
  2. Immediate revocation:With a single click on the remediation action, the platform queries the Microsoft Graph API to invalidate access instantly.
  3. Secure reset:In the process, the actionresetUserPasswordgenerates a new strong password, displays it in a persistent modal with a quick copy button for transmission to the employee, and requires a password change at the next login.

This dual action, protected by the requirement of an AAL2 session (analyst MFA), allows token theft to be neutralized in less than 10 seconds.

Stop letting hackers exploit your sessions.> Discover how our toolIdentity Management at Risk Entra IDAccelerates your incident response without any agents to install.

Page Solution Associée

Identity Management at Risk (Entra ID)

Block Entra ID identity theft every second. Unable to travel JIT detection, session revocation, and confirmation of compromise.

Découvrir la solution complète

Articles du même cluster

Impossible Travel on Entra ID: Analyze and react

An Impossible Travel alert isn't always a hack. Discover how Akuity SOC's JIT analysis helps qualify risk without blocking your users.

Lire →

Password Reset vs Session Revoke: The Vital Difference

Changing a password is not enough to stop a hacker who is already connected. Learn the technical difference between resetting and revoking Entra ID sessions.

Lire →

Brute force attacks on Azure AD: Detect, qualify and block

Brute force attacks target Microsoft Entra ID daily. Learn how to detect them and use Compromise Confirmation to block them.

Lire →

Conditional Access Policies and Compromised User Status

SOAR does not replace Zero Trust architecture, it enables it. Understand how the Confirm Compromised action triggers your Entra ID Conditional Access rules.

Lire →

JIT (Just-In-Time) Analysis: Real-time identity investigation

SIEM logs are often outdated. Learn how Just-In-Time (JIT) analytics via Microsoft Graph accelerates Entra ID incident response.

Lire →