Hackers are Increasing Token Theft Attacks to Bypass MFA

Organizations are increasing their implementation of multifactor authentication (MFA) to help secure account credentials and prevent unauthorized access, but threat actors are similarly advancing their techniques and are finding ways around those protections, including stealing tokens, according to Microsoft.

In a recent post, Microsoft says its Detection and Response Team has seen an increase in attackers utilizing token theft for exactly that purpose, compromising and replaying a token issued to an identity that has already completed multifactor authentication to satisfy MFA validation and access resources.

Microsoft says the expertise needed to carry out cloud token theft is low and hard to detect, making this a concerning new threat vector to protect against. This is particularly important in organizations embracing hybrid work that allow users to access corporate resources from personal or unmanaged devices that aren’t visible to IT.

According to Microsoft, publicly available open-source tools for token theft exploitation already exist, and many malwares have been adapted to include this technique. Without proper safeguards and visibility into authentication endpoints, detecting token theft is difficult.

In the blog, Microsoft calls tokens critical to OAuth 2.0 identity platforms such as Azure AD. Users must present a valid token to access resources, such as a web app protected by Azure AD. However, users must obtain that token by signing into Azure AD using their credentials and may need to complete MFA. The user then presents the token to the web app, which validates the token and allows access. Azure AD tokens include information such as the username, source IP address, MFA and any privileges a user has in Azure AD.

Microsoft identifies adversary-in-the-middle (AitM) frameworks and the utilization of commodity malware (which enables a ‘pass-the-cookie’ scenario) as the most common theft techniques DART has observed.

In an AiTM attack, attackers use frameworks such as Evilginx2 to insert malicious infrastructure between the user and legitimate application the user is trying to access. When the user is phished, the malicious infrastructure captures the user’s credentials and the token.

“If a regular user is phished and their token stolen, the attacker may attempt business email compromise (BEC) for financial gain,” Microsoft security experts write in a blog. “If a token with Global Administrator privilege is stolen, then they may attempt to take over the Azure AD tenant entirely, resulting in loss of administrative control and total tenant compromise.”

In a pass-the-cookie attack, an attacker bypasses authentication controls by compromising browser cookies. Similar to pass-the-hash or pass-the-ticket attacks in Active Directory, a cookie is created after authentication to Azure AD via a browser, and a cookie is created and stored for that session. By compromising a device and extracting the browser cookies, attackers can pass that cookie into a separate web browser on another system.

According to Microsoft, users who access corporate resources on personal devices are especially at risk because those devices typically have weaker security controls than devices managed by corporate IT. As such, IT has limited visibility to determine compromise.

This scenario also opens the door for additional vectors, such as personal email accounts or social media accounts that are accessed on the same device.

Microsoft issues several recommendations for protecting against token theft, including:

Reducing the lifetime of the session and increasing the number of times users have to re-authenticate.
Reducing the viable time of a token to force hackers to increase the frequency of token theft attempts and give IT a better chance at detection.
Implementing controls for users connecting from unmanaged devices.
Implementing phishing-resistant MFA solutions, such as FIDO2 security keys, certificate-based authentication, Windows Hello for Business and others.
Segregating cloud-only identities for all IT administrative activities to reduce the attack surface from on-premises to cloud in the event of on-premises domain compromise and abuse of privilege.

Microsoft also recommends organizations focus on deploying controls to applications and users that are more at risk, such as: