Why Multi-Factor Authentication on its own won't protect you
Multi-Factor Authentication (MFA) has become a recognised standard for cyber security - and rightly so. If your username and password are compromised, MFA is there to protect you. But cybercriminals are evolving. One increasingly used attack is known as Session Token Theft.
Session Token Theft - What Is It?
In such an attack, a cybercriminal attempts to steal a session token to gain unauthorised access to an account. Unlike a username and password which may be static, MFA codes are continuously changing - but that’s exactly what attackers are trying to coerce from you. It’s the final piece of the puzzle they need.
How Does a Cybercriminal Do It?
- Cross-Site Scripting (XSS) - malicious code injected into a website steals the session token from the user’s browser and sends it to the attacker.
- Cross-Site Request Forgery (CSRF) - tricks a person into unknowingly sending a request to a site they’re already authenticated with.
- Session Hijacking - the token is intercepted during transmission via network sniffing, man-in-the-middle attacks, or exploiting vulnerabilities in communication channels.
A Typical Attack
A phishing email arrives โ user clicks a link โ lands on a fake login page โ enters username and password โ enters MFA code โ breach complete. The cybercriminal now has full access, can disable MFA, add their own authentication, and remain dormant for weeks gathering intelligence before mounting a more comprehensive attack.
What Can Protect You?
MFA in isolation is no longer fit for purpose. Every organisation should monitor Microsoft 365 for: high-threat IPs and locations, new logins from proxy services, forwarding to external domains, suspicious naming conventions, tenant permission modifications, and new users promoted to global admin.
The right cyber security provision should proactively cease access the moment a trigger occurs - isolating the compromised account, revoking the session, and disabling inbox rules during an active incident.