With cybercriminals evolving their tactics, traditional security measures such as strong passwords and Multi-Factor Authentication (MFA) are no longer sufficient to protect businesses from all threats. One of the latest and rapidly growing threats is token theft, which allows cybercriminals to bypass authentication mechanisms and gain unauthorized access to Microsoft 365 and other cloud-based services.
This article provides a comprehensive guide on what token theft is, how it happens, and the strategies businesses can implement to protect themselves from this type of cyberattack.
What is Token Theft?
Token theft occurs when cybercriminals steal authentication tokens stored on a user’s device. These tokens are created after a successful login with credentials and MFA, allowing seamless access to cloud applications without repeated authentication.
Think of it like a fairground ticket: once you purchase a ticket, you can access all the rides without buying another. If someone steals and copies your ticket, they can also access the fairground without your knowledge. Similarly, if a hacker steals your authentication token, they can access your Microsoft 365 data as if they were you.
How Cybercriminals Steal Tokens
- Phishing Attacks – Users receive emails with malicious links that install malware designed to extract authentication tokens.
- Session Hijacking – Attackers intercept session cookies through network vulnerabilities.
- Malicious Software – Keyloggers and other malware extract stored tokens from devices.
- Social Engineering – Attackers trick users into executing scripts that exfiltrate tokens.
With token theft on the rise by 111% last year, it is crucial for businesses to take proactive steps to mitigate this risk.
How to Protect Your Business Against Token Theft
1. Maintain Good Cyber Hygiene
Cyber hygiene refers to best practices that reduce the risk of token theft in the first place:
- Use Endpoint Security Solutions – Deploy Microsoft Defender for Endpoint to detect and block malware.
- Secure Emails – Utilize Defender for Office 365 to prevent phishing emails.
- Limit Admin Access – Ensure users do not have local admin rights on their computers to prevent malware installation.
2. Use Compliant Devices Only
Restricting access to only company-managed and compliant devices significantly reduces the risk of stolen tokens being used elsewhere.
- Deploy Conditional Access Policies – Restrict Microsoft 365 access to only devices that are registered and compliant in Intune.
- Enforce Compliance Policies – Require devices to have security measures such as:
- Firewall enabled
- Antivirus protection
- BitLocker encryption
- Latest OS updates
- Automate Compliance Monitoring – If a device falls out of compliance, it can be restricted or retired automatically.
3. Restrict Access by Location
By default, users can access Microsoft 365 from anywhere. Cybercriminals exploit this by using stolen tokens from different geographical locations.
- Create Approved Locations – Allow access only from trusted locations (e.g., company offices or specific IP ranges).
- Enforce Location-Based Conditional Access Policies – Block access to Microsoft 365 when tokens are used outside approved locations.
- Test Policies Before Full Deployment – Start with a small group to ensure legitimate users are not locked out.
4. Implement Token Protection Conditional Access
Microsoft Entra ID allows businesses to enforce token binding, preventing stolen tokens from being used on unauthorized devices.
- Require Token Protection – Bind authentication tokens to the specific device on which they were created.
- Target Exchange, SharePoint, and Teams – Currently, token protection applies to these Microsoft 365 services.
- Limit Token Use to Windows Devices – As of now, this feature works only on Windows platforms.
5. Enable Risk-Based Conditional Access (Requires Entra ID P2)
Microsoft uses AI-powered risk detection to monitor user activities and detect suspicious behavior.
- Sign-in Risk Policy – Prompt users for MFA if Microsoft detects:
- Impossible travel (e.g., login attempts from different continents within minutes)
- Anonymous or TOR network logins
- Suspicious IP addresses
- User Risk Policy – Require password reset and MFA or block users if Microsoft determines a user’s credentials are compromised.
Additional Considerations
If your business requires enhanced security, upgrading to Entra ID P2 provides:
- Automated Risk Detection and Remediation – Advanced monitoring of user behavior and automated responses to suspicious activities.
- Access Reviews and Just-in-Time Privileges – Reduce exposure by limiting persistent access.
- Identity Protection Reports – Gain insights into potential risks and mitigate threats proactively.
Cybercriminals are continuously evolving, and token theft has become a major security risk even for organizations using MFA. However, by implementing cyber hygiene practices, device compliance, access restrictions, token protection, and risk-based policies, businesses can significantly reduce their exposure to token theft attacks.
Whether you’re just starting your cloud security journey or need to strengthen your existing defenses, we’re here to guide you every step of the way. Contact us today for a free security consultation.