Microsoft’s Detection and Response Team (DART) recently warned that attackers are increasingly using token theft to circumvent multi-factor authentication (MFA).
“By compromising and replaying a token issued to an identity that has already completed multi-factor authentication, the threat actor satisfies MFA validation and access is granted to organizational resources accordingly,” wrote l. team in a blog post.
This is of particular concern, they noted, because the attack technique does not require significant expertise, it is difficult to detect, and few organizations monitor it.
AitM and Pass-the-Cookie attacks
The two main methods of token theft observed by DART are Adversary-in-the-middle (AitM) frameworks and pass-the-cookie attacks.
In the case of AitM, the team warned: “Frameworks like Evilginx2 go well beyond credential phishing, inserting a malicious infrastructure between the user and the legitimate application to which the user tries to access. When the user is phished, the malicious infrastructure captures both the user’s credentials and the token. »
Depending on the privileges of the victim, the result can range from business email compromise (BEC) to full administrative control.
Pass-the-cookie attacks involve the compromise of browser cookies to access corporate resources. “After authenticating to Azure AD through a browser, a cookie is created and stored for that session,” the team noted. “If an attacker can compromise a device and extract cookies from the browser, they can deliver that cookie to a separate web browser on another system, bypassing security checkpoints along the way.”
This is a particular concern for personal devices. As more employees work remotely, DART warned, employees are increasingly accessing company resources from devices that lack strong security controls.
“Users of these devices can be logged into both personal websites and corporate applications, allowing attackers to compromise tokens belonging to both,” they wrote.
Basic malware like Emotet, Redline, and IcedID all have built-in functionality to exfiltrate browser cookies. Additionally, DART noted, “the attacker does not need to know the compromised account’s password or email address for this to work – those details are stored in the cookie.”
Also read: The challenges of the future without a password
How to Respond to Token Theft
Key mitigations, according to DART, include maintaining full visibility into how and where all users authenticate.
“Allowing only known devices that meet Microsoft’s recommended security baselines helps mitigate the risk that basic credential-stealing malware can compromise end-user devices,” they wrote. .
For unmanaged devices, DART recommends reducing the lifetime of each session to shorten the amount of time a given token is viable, and implementing Conditional Access Application Control in Microsoft Defender for Cloud Apps.
For highly privileged users, DART also advises implementing phishing-resistant MFA solutions such as FIDO2 security keys, Windows Hello for Business, or certificate-based authentication. These users must also have a separate cloud-only identity for administration activities.
If a user is compromised, DART noted, Azure AD provides the ability to revoke a refresh token, forcing the user to re-authenticate – although the token can still remain valid for up to an hour, giving attacking account access until it expires.
DART also recommends checking any compromised user accounts for signs of persistence, such as added mailbox rules to forward or hide emails, additional authentication methods added to MFA, additional device enrollment and data exfiltration.
“Having visibility, alerts, insights, and a complete understanding of where security controls are applied is critical,” the team wrote. “The treatment of identity providers that generate access tokens and their associated privileged identities as critical assets is strongly encouraged.”
Best Password Managers
Main identity and access management tools