How to Detect and Respond to the Surge in Cloud-Based Token Theft

This year, there has been a spate of cloud-based token theft. These tokens are issued by identity and access management services such as Azure Active Directory (AD), and they contain sensitive information like usernames, source IP addresses, MFA, and corporate account permissions. These tokens are the backbone of how your employees access company resources - both in the office and at home. And they are growing increasingly vulnerable to two types of exploitative techniques: adversary-in-the-middle (AitM) and pass-the-cookie attacks.

Learn more about protecting your users from these attacks:


Why Are Tokens Such Valuable Targets?

Cloud tokens provide the proverbial keys to the corporate kingdom. Under normal circumstances, they allow your users to access a whole suite of company applications, confidential data, and PII such as customer information. Most companies recognize the importance of identity verification tools such as multi-factor authentication (MFA) and require a successful MFA submission before a token is successfully issued. In a perfect world, even if a malicious actor manages to scrape an employee’s credentials, MFA provides a second line of defense that prevents them from accessing the full cloud token. Unfortunately, these cloud tokens are increasingly vulnerable to attacks that bypass the MFA process. 

Common Attack Types

As mentioned above, there are two main avenues for token theft: adversary-in-the-middle (AitM) frameworks and pass-the-cookie attacks. The first, AitM attacks, occur when a bad actor attempts to harvest user credentials through a phishing email and malicious site. If the target engages with the phishing email and provides their credentials through the site, they may be prompted to respond to an MFA notification. Upon completing the MFA, the perpetrator would have access to both the original user credentials and identity token. Depending on the user permissions of the targeted individual, the attacker may choose to implement a secondary scheme such as a Business Email Compromise (BEC) to a full-fledged administrative takeover. These secondary attacks can cripple businesses by targeting their customers, shutting down operations, and leading to major industry fines.

AitM FlowchartAdversary-in-the-middle (AitM) attack flowchart

The second major category are pass-the-cookie attacks, which involve browser cookies that have been compromised by cybercriminals. Typically, a target will provide their credentials via a malicious site, after which a cookie is created and stored for that session. If a cybercriminal is able to compromise their personal or corporate account they can use that stored cookie to access the target’s token. This is an even greater concern for personal accounts, which tend to have fewer security measures than corporate ones. If your employees are working from home, a compromised browser means that both their personal and business cookies would be subject to exploitation.

These types of compromise were central in bringing down Equifax in the company’s 2017 data breach. The company suffered a massive breach that resulted in the leak of 150 million client accounts. Equifax failed to patch a known vulnerability in their website, and failed to implement HTTPS on their mobile application. Hackers were able to exploit these vulnerabilities to intercept Equifax users as they accessed their accounts.

How to Detect and Prevent Compromised Tokens

With this in mind, how exactly can you protect your company and data from falling into the wrong hands. We’ll explore three strategies: prevention, detection, and response. First, the most important thing you can do is focus on avoiding token theft through the following:

  1. Shorten the amount of time per user session. Many user sessions will time out after a certain number of hours, typically set by the IT administrator. After a session timeout, users have to sign in and go through the authentication process again. By shortening the average session length, and forcing re-authentication, you can help prevent malicious actors from accessing your users’ tokens.
  2. Reduce the amount of time a token is viable. You can set conditional access policies that shorten how long a token is valid, thereby making it harder for a successful theft to take place.
  3. Our final recommendation is to implement Conditional Access in Microsoft Defender for Cloud Apps. The conditional access portal allows your team to aggregate your company’s security tasks and ensure continuity across your Microsoft identities, data, devices, apps, and infrastructure.

If you suspect a token has been stolen, there are a few things your IT team can look for. First, if a token has been stolen, it will be replayed when the attacker attempts to use it to access your company data. When this replay happens, your system may flag an anomalous alert. Both Azure AD Identity Protection and Microsoft Defender for Cloud Apps can flag these events. If your security team is using a more comprehensive security framework, such as MITRE ATT&CK, the elements therein may help your team identify suspicious behavior. For example, MITRE ATT&CK can help your team identify standard indicators of compromise, map threat lifecycles, and pinpoint cyber kill chain concepts.

In the unfortunate event a user token is compromised, there are a few things your security team will want to address.

  1. If the suspicious device is unmanaged, you’ll want to immediately reduce the time user tokens are viable.
  2. Next, your team will want to implement additional phishing resistant tools such as FIDO2 security keys, certificate-based authentication, or Windows Hello for Business (which uses biometric information or pins to authenticate users).
  3. Lastly, you’ll want to revoke and refresh user tokens via Azure Active Directory, or another user management service.

User tokens play a vital role in your company’s daily operations, and it’s essential you keep them safe. If you’re using Azure Active Directory, or any other user management solutions, our cyber experts can help. Reach out to iCorps for more information about identity solutions today, and request a free IT consultation.


Contact for a Free Consultation