Microsoft: Hackers Bypass Multi-Factor Authentication with Stolen Tokens

Hackers have adapted to the fact that more and more companies rely on multi-factor authentication (MFA) to protect employee user accounts, according to Microsoft. The software company said it has recently seen an increase in attacks in which stolen tokens are used to defeat MFA.

Such attacks compromise tokens issued to users who have already successfully completed an MFA. The stolen tokens are then reused to gain access to the user account in question using a different device. Tokens are used by OAuth 2.0 platforms such as Azure Active Directory, among others, to simplify user authentication while making password attacks more difficult.

Microsoft classifies token theft as particularly dangerous because of the low technical requirements. In addition, it is difficult to detect such attacks. Since the attack technique is not very widespread, only a few companies are sufficiently prepared for it.

Stolen cookies also leverage MFA

In addition to the token, hackers also need a user’s account credentials, which they could obtain via phishing, for example, according to Microsoft. “When the user falls victim to phishing, the malicious infrastructure captures both the user’s credentials and the token,” Microsoft explained. Credentials and tokens could then be used for a variety of attacks, including business email compromise.

Another threat comes from “pass-the-cookie” attacks. Here, attackers target browser cookies they find on a device that has already been compromised, according to the software company. This is because cookies are also created after authentication via a browser at Azure Active Directory. An attacker could pass such a cookie to another browser on another device and bypass security checks.

“Users accessing corporate resources through personal devices are particularly vulnerable. Personal devices often have weaker security controls than enterprise-managed devices, and IT staff do not have the insight into these devices to determine a compromise,” Microsoft added.

Microsoft recommends that enterprises shorten the validity period of tokens and login sessions. However, this will result in users having to authenticate more frequently. In addition, the company advises adopting FIDO2 security keys and Windows Hello for Business or moving to certificate-based authentication for users. Microsoft also advises against linking accounts with particularly high user privileges to an email account.

“We recognize that while it is advisable for organizations to enforce location, device compliance and session duration controls for all applications, this is not always practical,” Microsoft added.