MFA alone is no longer enough

Experts warn that phishing campaigns are stealing Microsoft 365 access tokens to bypass multifactor authentication, making the control less foolproof.

Cybersecurity experts are issuing a significant warning about the limitations of multifactor authentication (MFA). An increasing number of sophisticated phishing campaigns are specifically designed to steal Microsoft 365 access tokens from legitimate users. By capturing these tokens, attackers can effectively bypass MFA protections and gain unauthorized access to corporate accounts and data. This technique is not entirely new, with reports of token-stealing phishing kits dating back to 2021. However, the recent emergence of new kits, such as one dubbed "EvilTokens" by researchers, indicates a growing trend and increased accessibility of these tools for malicious actors. The primary attack vector involves tricking users into an authentication flow on a malicious site, which then intercepts the session token granted after a successful MFA login.

This development is critical for any organization that relies on MFA as a cornerstone of its security strategy, particularly the vast number of businesses integrated with the Microsoft 365 ecosystem. The effectiveness of these token-stealing campaigns directly challenges the common assumption that an MFA-protected account is secure. It demonstrates that even with a second factor, accounts remain vulnerable if a user is successfully phished. This attack method shifts the threat from simple credential theft to more complex session hijacking, forcing security teams to evolve their defenses by looking beyond initial login events to monitor post-authentication behavior and verify the integrity of active user sessions.

This trend undermines the security model of many organizations that rely heavily on MFA as a primary defense, forcing a re-evaluation of identity and access management strategies to include post-authentication monitoring.

A successful token theft attack can lead to significant data breaches, financial loss, and reputational damage, as attackers gain the same level of access as a legitimate, authenticated user.