Identity Threats: How Attackers Steal Tokens and How to Stop Them
In a recent episode of the Threatscape Podcast, Ru Campbell sat down with Dr Nestori Syynimaa to discuss a major issue in identity security, token theft. The conversation explored how attackers steal authentication tokens, the evolution of Azure AD security, and how organisations can defend against these emerging threats.
Dr Syynimaa shared his journey from CIO to a principal identity security researcher at Microsoft, providing valuable insights into how adversaries exploit identity vulnerabilities and how defenders can stay ahead
The Rise of Token Theft and Identity Attacks
Identity security is critical in modern cyber security. With cloud based infrastructures becoming the norm, authentication tokens have become prime targets for attackers. Instead of stealing passwords, cybercriminals now hijack session tokens, granting them direct access to corporate systems, often bypassing multifactor authentication (MFA).
Dr Syynimaa shared an eye opening experience: a PowerShell tool he originally developed to help IT professionals was unknowingly being used by cyber criminals. This highlights a stark reality, many legitimate administrative tools can be repurposed for malicious activity by attackers.
The discussion also touched on how security research plays a key role in identifying vulnerabilities before they can be exploited, and how Microsoft and other organisations work to mitigate these risks.
How Attackers Steal Tokens and the Emerging Defences
The podcast examined the main methods attackers use to steal tokens:
1. Adversary-in-the-Middle (AiTM) Attacks
AiTM phishing attacks trick users into entering credentials into fake login portals. These attacks capture authentication tokens, allowing attackers to bypass MFA and gain access to victims’ accounts.
2. Post-Issuance Token Theft
Even after authentication, malware on a compromised device can extract stored tokens. Attackers can then use these tokens to impersonate users and navigate corporate networks undetected.
The Microsoft Perspective
As a Microsoft security researcher, Dr Syynimaa discussed how his role allows him to detect and address these issues at an earlier stage. By analysing attack patterns and researching vulnerabilities, he helps build better defences before threats can spread widely.
One notable topic was a Microsoft 365 security loophole, where certain apps unintentionally received elevated API permissions. This issue, which affected conditional access enforcement, was quickly addressed, demonstrating the importance of ongoing security reviews.
Defending Against Token Theft and Identity Compromise
Dr Syynimaa outlined key defence strategies against token theft
- Restrict Bring Your Own Device (BYOD): Personal devices introduce security risks, making it crucial for organisations to enforce policies requiring managed, compliant devices.
- Use Phishing-Resistant Authentication: Passkeys and security keys ensure authentication is tied to a specific device, mitigating AiTM attacks.
- Enforce Conditional Access Policies: Limiting access to secure, verified devices helps protect authentication tokens.
- Monitor Token Behaviour: Analysing anomalies in token usage can reveal signs of compromise.
- Leverage Trusted Platform Modules (TPM): Devices with TPM provide better protection against post-issuance token theft by securely storing cryptographic keys.
Final Thoughts
Token theft is an evolving cybersecurity challenge. As attackers develop more advanced techniques, defenders must remain vigilant and proactive. Security research, strict access policies, and improved authentication methods are key to reducing risk.
For those interested in identity security, Dr Syynimaa recommends attending security conferences, following researchers on social media, and engaging in hands-on cybersecurity exercises like Capture The Flag (CTF) challenges.
Want to learn more?
Follow Dr Nestori Syynimaa online and explore his research on identity security. Subscribe to the Threatscape Podcast for more expert discussions on the latest cybersecurity threats and defences.
