Token Theft: The New Cybersecurity Threat You Need to Know About

Before you start telling me that I need to spend more money on security - don’t bother. We already use strong passwords, and all our accounts have MFA enabled. That should be enough, right? Wrong.

What is your business doing to protect itself against token theft?

What is Token Theft?

Most businesses are using MFA to secure their Microsoft 365 accounts - but cybercriminals are catching up. They’ve found a way to bypass MFA altogether through a method called token theft. In 2023 alone, token theft attacks increased by 111%, making it one of the fastest-growing cybersecurity threats today.

So, what exactly is token theft? Let’s break it down with an analogy.

Think back to your childhood when the fairground rolled into town. You’d queue for what felt like hours to buy a ticket. Once you had it, you’d show it to the security guard and gain access to the fairground, where you could ride the waltzers, the rollercoaster, or try your luck at hook-a-duck.

Logging into Microsoft 365 works the same way. Microsoft 365 is the fairground, the different rides are your apps like Outlook, Teams, SharePoint, and OneDrive, and your login process - username, password, and MFA - is the ticket.

But what if, after you bought your ticket, a pickpocket swiped it, made a copy, and slipped it back into your pocket? They’d now have the same access as you - able to ride all the rides without buying their own ticket.

This is exactly how token theft works. When you log into Microsoft 365, a token is created and stored on your device. Cybercriminals are now using malware to steal and copy these tokens, allowing them to log in to your apps and data - without needing your password or MFA. In short, they’re hijacking your access pass.

Think about it - hackers are playing hook-a-duck in your Outlook, riding the teacups in your SharePoint, and taking a spin on the Ferris wheel in your OneDrive. And you probably won’t even know it’s happening.

How Do Hackers Steal Tokens?

There are several ways hackers can steal tokens, but the most common is through phishing emails. These emails contain malicious links that, when clicked, install malware on your device. This malware then extracts your authentication token and sends it straight to the hacker.

Unlike traditional phishing attacks, you won’t receive any suspicious login requests or notifications because the hacker isn’t stealing your credentials - they’re stealing your access.

How Can You Protect Your Business Against Token Theft?

So, what can you do to protect your business? If you’re using Microsoft 365 Business Premium, you already have access to some powerful tools that can help prevent token theft. Here’s what you need to implement today:

1. Good Cyber Hygiene

First and foremost, strong cybersecurity practices are your best line of defence. This means:

• Using endpoint security solutions like Defender for Business to protect all your devices.
• Protecting your email with Defender for Office 365 to block phishing attempts before they reach your inbox.
• Ensuring none of your users have full admin rights to their computers - they should all be using standard accounts.

2. Use Compliant Devices Only

One of the best ways to prevent token theft is to ensure that only company-owned and managed devices can access Microsoft 365. You can do this by setting up Conditional Access policies in Microsoft Entra (formerly Azure AD). Here’s how:

• Log into the Microsoft 365 Admin Centre as a global admin.
• Go to Admin Centres > Identity > Protection > Conditional Access.
• Create a new policy and name it something like Ensure Device Compliance.
• Apply it to all users (excluding emergency access accounts).
• Apply it to all cloud apps.
• Under Grant controls, require the device to be marked as compliant in Intune.
• Save and enable the policy.

Now, only devices that are registered and compliant in Intune can access your Microsoft 365 data - keeping unauthorized devices out, even if they have a stolen token.

3. Restrict Access by Location

By default, Microsoft 365 allows logins from anywhere in the world - which is a problem when it comes to token theft. If a hacker steals your token, they can use it from any location.

A great way to combat this is by implementing location-based access policies:

• Define approved locations by setting up named locations in Microsoft Entra.
• Restrict access so that only approved locations (such as your office IP addresses or specific countries) can access your Microsoft 365 data.
• Enable Continuous Access Evaluation, which ensures that if a token is used from an unapproved location, access is immediately revoked.

4. Monitor and Respond to Suspicious Activity

Finally, you should be actively monitoring for signs of token theft. Use Microsoft 365 Defender to:

• Detect unusual sign-in locations.
• Flag suspicious activity related to token usage.
• Automatically revoke compromised tokens.

Additional Security Options with Microsoft 365 Business Premium

I mentioned earlier in the video that there are more options available, but they require an additional license. Microsoft 365 Business Premium comes with Entra ID P1, but if you upgrade to Entra ID P2, you get additional features to combat token theft.

• Entra ID P2: Costs £6.90 per user per month and includes advanced security features.
• Entra ID Suite: Costs £9.60 per user per month and includes even more security enhancements.

One powerful feature available with Entra ID P2 is Token Protection Conditional Access. This feature ensures that a stolen token cannot be used on another device. When you log into Microsoft 365, the authentication token is tied to your device, preventing attackers from using it elsewhere.

Additionally, Risk-Based Conditional Access monitors login behaviours and flags suspicious activities, such as impossible travel scenarios (e.g., logging in from London and New York within minutes). If a high-risk login is detected, Microsoft will require additional authentication steps, further securing your accounts.

Final Thoughts

Token theft is a growing cybersecurity threat that bypasses traditional security measures like MFA. But by implementing good cyber hygiene, enforcing compliant device access, restricting logins to approved locations, and monitoring for suspicious activity, you can significantly reduce the risk to your business.

Cybercriminals may be getting smarter, but with the right protections in place, they won’t be riding the Ferris wheel in your OneDrive anytime soon.

For more cybersecurity tips and Microsoft 365 insights, visit The Bearded 365 Guy.