In today’s digital age, cyberattacks are constantly evolving. One of the fastest-growing threats in Microsoft 365 is token theft, or token replay attacks, which have surged over 111% year-over-year. This article explains what token theft is, how it works, why it threatens your business, and the top four security policies to implement in Microsoft 365 to protect against these attacks.
What are Tokens?
A token is a digital credential, key, or temporary pass that proves your identity when you access a specific resource on Dynamics 365. When you attempt to access Dynamics 365, the system verifies your identity using Microsoft Entra ID (formerly Azure Active Directory). Upon successful login, Microsoft Entra ID issues a token – a unique string of characters that serves as proof of your authenticated identity.
Each time you access a resource, you don’t need to repeatedly enter your username and password because the token grants you access. Typically, each token has a limited lifespan for security purposes. Once the token expires, you must generate a new one by logging in to Dynamics 365 again. This process renews the token and reauthenticates your access to maintain security.
All users of Dynamics 365 utilise tokens as part of the authentication process, often without being aware of it. This process is handled in the backend by Microsoft Entra ID.
What is Token Theft?
Token theft occurs when a cybercriminal steals a user’s authentication token to access their account. Alarmingly, multi-factor authentication (MFA) cannot fully protect against this threat. Even with MFA enabled, if an attacker has the token, they can bypass it and impersonate the user.
How Token Theft Works
A session token is a digital credential that verifies a user’s authentication to access specific resources in Microsoft 365, such as email, SharePoint, or Teams. Once issued, a token allows users to access these resources without needing to re-enter their username, password, or MFA code each time.
Token theft allows an attacker to impersonate a legitimate user and access their resources without requiring the user’s credentials again. Attackers can steal tokens by:
- Installing malware on a user’s device.
- Grabbing session cookies from web browsers like Microsoft Edge and Chrome.
- Using phishing techniques to steal tokens.
Once attackers obtain the token, they can ‘replay’ it on their device, making it appear as if they are the legitimate user.
Risks to Your Business
Once an attacker has successfully stolen a token, they can:
- Access corporate resources like email, documents, and Teams.
- Send internal phishing emails to move laterally within the organisation.
- Exfiltrate sensitive data, including intellectual property and confidential customer information.
- Set up inbox rules to forward sensitive emails for data exfiltration.
These attacks can impact your organisation, causing financial losses, reputational damage, and legal liabilities. So, how can you defend against token theft in Microsoft 365?
Top Four Security Policies to Prevent Token Theft
1. Enforce Device Compliance
To prevent token theft, ensure only compliant devices access corporate resources. Devices accessing Microsoft 365 should comply with security standards, including antivirus protection, Intune enrolment, and encryption. Enforcing compliance blocks attackers with stolen tokens on non-compliant devices.
2. Use Conditional Access with Strict Location Continuous Access Evaluation
Protect your environment by setting up conditional access policies that limit Microsoft 365 access to trusted locations, like the corporate network or a VPN. This prevents attackers from accessing resources if they steal a token, as they must log in from an approved location. These policies guard against AiTM and pass-the-cookie attacks by blocking unauthorised access immediately. This approach provides greater security than traditional CAE, which has a default token TTL of one hour.
3. Token Binding
For stronger protection, enable token binding. This ties session tokens to a specific device, preventing their use on another device if stolen. Although still in preview, this feature effectively prevents attackers from using stolen tokens on other devices.
4. Risky Sign In + CAE
Continuous Access Evaluation (CAE) is a feature that monitors session activity and periodically re-evaluates the security of the session. If CAE detects unusual activity, such as a sudden change in location, it requires re-authentication to ensure security. With Entra P2 licensing, additional risk detection data points are available for evaluation. Conditional access policies can be configured to block user sign-ins when the risk level is determined to be medium or high.
Closing Thoughts: Protecting Your Microsoft 365 Environment
Token theft is a rising threat, but these security policies can significantly reduce the risk of unauthorised access. Remember, no single solution is flawless—layering your defences is essential.
If you would like to know more about how FUJIFILM MicroChannel can assist in securing your Microsoft 365 environment please reach out to us.