Understanding Identity Token Theft
Identity token theft occurs when an attacker waits for a legitimate user to obtain a token and then steals it to gain unauthorised access. While most attacks still target passwords, multi-factor authentication (MFA) remains essential. However, as MFA usage increases, attackers are turning to credential bypass attacks like token theft. In 2023 alone, Microsoft detected 147,000 token theft attacks, marking a 111% increase from the previous year.
How Token Theft Works
When you sign into a site or service using your security credentials, including MFA, an identity provider issues your tokens. These tokens describe who you are and what you can do, and you present them to access applications and services. Tokens are stored in the background by your browser, apps, or mobile device management service, so you don’t have to re-enter your credentials every time. If an attacker accesses these tokens and makes a copy, they can access your resources without needing your username, password, or a successful MFA challenge.
Real-World Example of Token Theft
Consider this scenario: A user signs into a cloud storage account using MFA and receives a session token. They click on a malicious link, which installs malware that copies the session token and sends it to the attacker. The attacker then uses the token to access the cloud storage and download confidential documents. Other methods of token theft include copying tokens from network proxies or routers or extracting them from server logs.
Implementing Token Protection
Protect your organisation from token theft protection with Microsoft Entra, Intune, Defender XDR & Windows.
To prevent token theft, it’s essential to bind the token to the device it was issued to, a process known as token protection or token binding. This method, currently in preview, requires apps and services to support token binding. It works with Microsoft Intune enrolment, Outlook, SharePoint, and Microsoft Teams. Token protection ensures that tokens only work on the specific device they were issued to, preventing attackers from using stolen tokens.
Using Conditional Access Policies
Conditional Access policies allow you to require bound tokens to access resources. For example, you can configure policies to target Office 365 Exchange and SharePoint Online, specify Windows as the platform, and require token protection for sign-in sessions. This ties tokens to the device they were issued to, preventing attackers from using stolen tokens.
Additional Defences Against Token Theft
While token protection is the strongest defence against token theft, not all applications or platforms support it. Other countermeasures include requiring managed and compliant devices, enabling Local Security Authority Protection, and using Credential Guard. These settings can be enforced using Windows policies and device compliance checks in Conditional Access.
Detecting and Shutting Down Attacks
Microsoft Entra ID has built-in detections for token theft and evaluates user and sign-in risk automatically. Configuring risk-based access policies allows you to block or revoke tokens when token theft is suspected. Continuous access evaluation enables real-time re-authentication. Additionally, you can enforce location policies and compliant network checks using Microsoft Entra Internet Access.
Conclusion
Token theft is a serious threat to your identity and data security. Microsoft Entra, along with Windows, Microsoft Intune, and Microsoft Defender XDR, can help protect your tokens and stop replay attacks. At CMS Group, we specialise in helping organisations like yours navigate these challenges and implement robust IT strategies. To learn more and to get started, book a consultation with us today via hello@cms-group.net or call 0203 4044 700.
By taking proactive steps to protect your tokens, you can significantly enhance your security posture and safeguard your valuable data. If you need expert guidance on this or any other IT strategy considerations, CMS Group is here to help. Contact us today to schedule a consultation and let us assist you in fortifying your defences against token theft and other cyber threats.
