Friday , March 31 2023

The Basics Of Token Theft: What It Is, How It Works, Why It’s A Concern

As we increasingly rely on online services for work, cybercriminals are finding new ways to breach security.

One of the latest tactics is token theft, which allows attackers to gain access to corporate resources without needing to bypass multi-factor authentication (MFA). It is the unauthorized acquisition of digital tokens used for authentication and access control. Even worse, this tactic requires very little expertise and is hard to detect, leaving organizations vulnerable.

Let’s explore the different types of token theft and what can be done to prevent them.

1. Adversary-in-the-middle (AitM) phishing attack

Adversary-in-the-middle (AitM) phishing attacks are a type of attack where attackers use sophisticated techniques to steal tokens instead of passwords. These attacks go beyond simple credential phishing and instead insert malicious infrastructure between the user and the legitimate application they are trying to access. This infrastructure captures both the user’s credentials and their token.

2. Pass-the-cookie attack

A “pass-the-cookie” attack bypasses authentication controls by compromising browser cookies, giving hackers access to your corporate resources. Personal devices used for accessing corporate resources pose a high risk to cybersecurity as they usually have weaker security controls, additional attack vectors, and lack visibility to IT staff, making it easier for attackers to steal authentication cookies and compromise both personal and corporate accounts.

It is important for organizations to be better prepared to detect, mitigate, and respond to these threats.


When a token is replayed, the sign-in from the threat actor can flag anomalous features and impossible travel alerts. It’s important to focus on high-severity alerts and focusing on those users who trigger multiple alerts rapidly.


Organizations can reduce the risk of token theft by ensuring they have full visibility of where and how their users are authenticating. Organizations should focus on deploying location, device compliance, and session lifetime controls to applications and users that have the greatest risk.


It’s important to check the compromised user’s account for other signs of persistence, such as mailbox rules, multifactor authentication modification, device enrollment, data exfiltration, and high-risk modifications to a tenant. Incident responders should review any audit logs related to user activity to look for signs of persistence.

Multifactor authentication combined with basic security measures protects against 98% of attacks! But it’s important to take all the necessary precautions to be entirely secure.

About BW Online Bureau

Check Also


Gaming Companies Fuel Engagement Campaigns With AI-Driven Insights To Conquer Industry

During the pandemic, the Indian gaming industry was rewarding both for gamers and for gaming …