Even with multifactor authentication (MFA), hackers can still gain access to your Microsoft 365 account through unmanaged devices. Once inside your system, these bad actors are difficult to detect, buying them time to exfiltrate data, escalate privileges, and move laterally to other systems.  

Compromised account breaches are an expense and distraction from daily functions that few businesses can afford. According to IBM, the average global cost of a breach is $4.4 million, which includes both the cost of containment and the disruption of operations. 

That’s why strengthening MFA with device compliance policies is critical. Microsoft tools like Microsoft Entra ID Protection, conditional access, and Intune can help businesses identify risky sign-ins, restrict access from unmanaged devices, and stop attackers before they exploit stolen credentials. 

Risks of Personal Devices 

Using a personal device to access corporate resources is a cybersecurity risk for users and IT Systems. Personal devices often have weaker security controls than ones that are managed by your business, leaving them susceptible to malicious attacks. Security teams do not have visibility into those devices to help identify when they’ve been infected. Unmanaged devices are often targeted by advisories as they can open the door to one of today’s most effective MFA bypass methods: cloud token theft. 

What is Cloud Token Theft? 

Token theft is a sophisticated attack technique in which adversaries capture and reuse authentication tokens issued by cloud identity platforms—such as those used by Microsoft 365—to impersonate a legitimate user and gain unauthorized access to services and data. The two most common cloud token theft methods are adversary-in-the-middle (AitM) and “pass-the-cookie” phishing attacks.  

Adversary-in-the-Middle Phishing Attack 

In an AitM scenario, an attacker will send a user a convincing phishing email with a link to a fake, malicious website that looks identical to a legitimate service (e.g. Microsoft 365). Once the user clicks on the link, they are redirected to an attacker-controlled reverse proxy site where the users are prompted to enter their login credentials, which the attacker can now harvest.  

On its own, that wouldn’t be enough to compromise MFA, but the AitM infrastructure in the malicious site triggers a real authentication token, which the attacker can now access. The attacker then reuses the session token, bypassing the MFA check and granting them access to the user’s account.  

If a token with Global Administrator privilege is stolen, the attacker can try to take over your Entra ID tenant, removing you entirely from administrative control and completely compromising your tenant.  

Pass-the-Cookie Attack 

A “pass-the-cookie” attack happens when an attacker leverages stolen browser cookies to bypass authentication controls. Modern web apps use browser cookies to maintain an authenticated session, allowing users to remain signed in without having to repeatedly enter credentials. 

If a device is compromised, attackers can extract these cookies and replay them to effectively bypass security checkpoints. Because these cookies contain session tokens or other authentication artifacts, attackers can impersonate the user without ever knowing the username and password.  

Both personal accounts and corporate credentials can be at risk from this type of attack. An attack on one could lead to an attack on the other.  

Protecting against MFA Compromise Attacks 

Full visibility into where and how users authenticate is a strong deterrent to token theft. Only allowing devices that are known to an organization to access critical SaaS applications like SharePoint or Exchange online can also help reduce risk.  

For devices that can’t be fully managed, like a personal cell phone or tablet, use conditional access policies, Microsoft Intune, or other controls to: 

• Reduce session lifetime – limit how long authentication tokens remain valid to decrease the window for attackers to exploit stolen session data. 

• Disable persistent browser sessions – Prevent long-lived authentication tokens from being stored in the browser  

The best time to stop a phishing attack is before it starts. Block initial access through tactics such as: 

• Phishing resistant MFA solutions – Consider using FIDO2 security keys, Windows Hello for Business or certificate-based authentication for users. It may not be a practical solution for all users, but users of significant privileges like Global Administrators or high-risk application users should be included. 

• Segregate high-privilege users to a cloud-only identity for all administrative activities – Reduce your attack surface from on-premises to the cloud in case of an on-premises domain compromise and abuse of privilege. It’s recommended to create two separate accounts for admins—one for administrative tasks and one for daily use. This helps reduce risk, limit attack surface, enforce stronger security controls, and meet compliance requirements. 

Which Users Hold the Most Risk? 

Determining which users and applications present the highest security risk is essential when broad enforcement of location-based access, device compliance requirements, or session-lifetime restrictions is not feasible for your organization. In such cases, you should focus instead on deploying these controls to the most sensitive users and applications that pose the greatest risk to your organization, such as: 

• Highly privileged users such as: Authentication Administrators, Billing Administrators, Global Administrators and Service Administrators 

• Finance or treasury type applications 

• Human capital management (HCM) applications 

• Control and management plane access to cloud app administrative portals, such as Microsoft 365 Defender, Azure and Office 365 

• Office 365 services, such as Exchange Online, SharePoint, Teams and other productivity-based cloud apps 

• VPN or remote access portals which provide external access to your organization’s resources 

How to Detect Token Theft 

Although it’s difficult to distinguish between an authenticated token and a replayed token, a sign-in from an attacker can flag unusual activity and trigger impossible travel alerts. Both Entra Identity Protection and Microsoft Defender for Cloud Apps can alert you to these events, helping to ensure genuine token theft incidents aren’t overlooked.  

Focus on high severity alerts and users who rapidly trigger multiple alerts. You should also use detection rules that map to the MITRE ATT&CK framework, which can help detect a compromise scenario. It can help you identify signs of a breach, such as a risky sign-in followed by the creation of a new mailbox rule.   

Responding to and Investigating MFA Token Compromise 

Once you confirm that a user has been compromised and their token has been stolen, you need to take steps to evict the threat from your network. Entra ID enables you to revoke a refresh token, making it no longer valid. After the associated access token expires, the user will receive a prompt to re-authenticate.  

Please note that revoking the refresh token using the method described above doesn’t immediately invalidate the access token. It can remain valid for up to an hour, giving the attacker access to the compromised user’s account until it expires.  

Entra ID supports continuous access evaluation for Teams, SharePoint and Exchange Online which allows access tokens to be revoked in almost real time after a “critical event.” This can help reduce the one-hour delay, cutting access for the attacker as quickly as possible. 

You should also check the compromised user’s account for signs of the attacker’s continued presence in your systems, such as: 

• Mailbox rules – An attacker might create mailbox rules to forward or hide emails, such as automatically moving messages with the keyword ’invoices’ to an obscure folder or forwarding them externally. 

• Mailbox forwarding – An attacker can silently receive a copy of every email a user receives, getting access to potentially private or secure information.  

• Multifactor authentication modification – There have been instances of hackers registering additional authentication methods for MFA on compromised accounts, like adding a new phone number or authentication app.  

• Device enrollment – A cybercriminal may try to add a device to an Azure AD tenant after gaining control to evade conditional access rules. 

• Unauthorized data sharing – Using the built-in sharing functionality of SharePoint and OneDrive, an attacker may attempt to share important or sensitive documents and resources externally.  

Incident responders should regularly review user activity audit logs to check for signs of an attacker’s persistent presence. You can also configure alerts to notify you of high-risk modifications to a tenant, alerting you to the existence of an authorized user. These may include the creation or modification of: 

• security configurations 

• Exchange transport rules 

• privileged users or roles 

Multifactor authentication keeps users and organizations secure from many types of malicious threats, but unmanaged devices can create openings that let attackers slip past that protection. Strengthening device compliance through conditional access policies adds a critical layer of defense.   

A managed detection and response cybersecurity strategy complement those controls with continuous monitoring, advanced threat detection and rapid incident response –- helping minimize both the impact and the duration of an attack.   

At Anders, our Technology Device Management Advisors  track emerging cyberattacks tactics and work with our customers to implement security strategies that safeguard their businesses. To learn how Anders can help strengthen your security posture and protect against MFA compromise, request a consultation below.