How to Guard Against Token Theft for Microsoft 365

Session hijacking occurs when an attacker steals a valid session token—essentially, the key to a user’s active login session. In the case of Microsoft Teams, once a user logs in, their session token remains active and allows them to continue their work without repeatedly entering their password. While convenient, this token persistence also introduces a risk: if an attacker can obtain the session token, they can potentially access Teams and act as the legitimate user.

Cookie File-Based Theft vs. Session Adversary-In-The-Middle (AITM) Theft

Cookie file-based theft and session Adversary-in-the-Middle (AITM) theft are both methods attackers use to hijack user sessions, but they differ in how they operate and the scenarios they target.

Cookie File-Based Theft involves stealing cookie files stored on a user’s machine. Cookies are used by web browsers to maintain user sessions with web applications. If an attacker gains local access to a device, they can copy these cookie files and use them to impersonate the user in the web application. This method is particularly effective when cookies are stored without adequate encryption or protection. Phish resistant MFA methods do not protect against this type of attack.

Session Attack-in-the-Middle (AITM) Theft, on the other hand, involves intercepting session tokens during transmission. In an AITM attack, an attacker positions themselves between the user and the server, capturing session tokens as they are exchanged. This often requires sophisticated tools and techniques to intercept traffic, such as using malicious proxies or exploiting weaknesses in network security. Once the session token is intercepted, the attacker can use it to hijack the user’s active session.

While both techniques enable attackers to impersonate legitimate users, cookie file-based theft typically requires direct access to the user’s device, whereas session AITM theft involves intercepting data during transmission between the user and the service with products like EvilGinx or Mamba 2FA.

Stealing a session token file in Microsoft Teams can be surprisingly easy under the right circumstances, especially when proper endpoint security controls are not in place. Session tokens are stored locally on a user’s machine, typically within application directories that hold authentication data. In the case of Microsoft Teams, these tokens are found in files within user-accessible directories, which means they can be accessed by anyone with local access to the system.

If an attacker gains local access to a user’s device—either through physical means or by exploiting a weakness that allows them to run malicious software—they can simply navigate to the appropriate directory and copy the session token file. These directories are usually unprotected by default, making them vulnerable if the system doesn’t have adequate security configurations.

For instance, on a Windows machine, session tokens for Teams are typically stored in files located in the user’s “%AppData% \\ Microsoft \\ Teams” directory. Attackers can utilize a simple script or commands to extract these files, which, once obtained, can be transferred to another device. On their own system, the attacker can use these tokens to impersonate the legitimate user without needing credentials or going through multi-factor authentication.

Because these session tokens remain valid until the user’s session expires or the token is explicitly invalidated, they offer a straightforward way for attackers to gain persistent access to Microsoft Teams accounts. What’s more alarming is that common security practices, such as changing the account password, may not invalidate the token right away, allowing attackers to maintain access even after the victim attempts to regain control.

Update: The new Teams client no longer stores tokens in the “%AppData% \\ Microsoft \\ Teams” directory, effectively addressing a key vulnerability. However, tokens can still be extracted from other applications, such as web browsers, if an attacker gains access to the device.

Why Traditional Security Measures Aren’t Enough

Organizations often rely on Multi-Factor Authentication (MFA) as a primary defense, which adds a layer of security by requiring a second verification factor. However, while MFA is critical, it doesn’t protect against session hijacking since MFA is only checked during the initial login. Once the session token is issued, it bypasses MFA checks. Stolen session tokens from devices, can be used to bypass phish-resistant MFA methods such as YubiKeys, making token hijacking a serious threat even for organizations that have implemented strong authentication practices.

Mitigating Session Hijacking Risks in Microsoft 365

To effectively reduce the risk of session hijacking in Microsoft 365, organizations need a multi-layered approach focused on both identity security and endpoint protection:

1. Endpoint Security and Monitoring: Microsoft Intune is central to maintaining device security in a Zero Trust framework. Intune ensures that all devices meet organizational compliance requirements and are regularly patched, minimizing vulnerabilities that could be exploited by attackers. Organizations can enforce strict security policies, such as ensuring devices are encrypted, compliant, and up-to-date. Endpoint security is further strengthened by managing device health. By continuously monitoring and applying security policies, Intune provides comprehensive device protection, helping to safeguard session tokens and other sensitive data.
2. Conditional Access Policies: Using Conditional Access policies in Microsoft 365 can add security by requiring users to meet specific criteria, such as device compliance or IP restrictions, to access Teams. These policies can also help restrict access based on risk levels, ensuring that even if an attacker obtains a session token, their access may be limited.
3. Continuous Session Monitoring: Solutions like Microsoft Cloud App Security or Microsoft Sentinel enable organizations to monitor session behavior in real-time. This allows for the detection of unusual activities, such as logins from unfamiliar locations, which could indicate token misuse. Setting up automated alerts and response actions based on this data can help security teams act quickly if they suspect a session has been compromised.
4. Zero Trust Implementation with Entra and Intune: Microsoft Entra and Intune are instrumental in implementing a Zero Trust security model, emphasizing the need to verify every access request, regardless of origin. Entra ensures continuous verification of user identities, while Intune enforces device compliance. This combination prevents unauthorized access from compromised tokens. Regular re-authentication and session controls further enhance protection, ensuring that users and devices must always meet security standards.

Staying Ahead of the Threat

Securing Microsoft 365 against session hijacking requires a proactive approach to endpoint and identity security. By layering access controls, session monitoring, and advanced threat protection, organizations can build a resilient defense against unauthorized access and protect their data in the cloud. With collaboration tools like Teams playing a central role in modern work environments, taking these measures is essential to staying ahead of emerging threats and ensuring the security of sensitive communications and data.

To learn more about protecting your Microsoft 365 environment and implementing effective security measures, check out our in-depth guide on essential security practices: Microsoft 365 Security Necessities. This guide provides valuable insights and recommendations tailored to help organizations enhance their defenses, secure collaboration tools like Microsoft Teams, and stay one step ahead of emerging threats.