"Microsoft Warns of Rise in Stolen Cloud Tokens Used to Bypass MFA"

Threat actors are stealing authentication tokens that have already been verified by multi-factor authentication (MFA) in order to compromise organizations' systems. According to a new alert from Microsoft's Detection and Response Team (DART), token theft for MFA bypass is especially dangerous because it requires little technical expertise and is difficult to detect. Most organizations have not considered token theft as part of their incident response plan. Furthermore, as employees increasingly use personal devices to access systems, security controls deteriorate, and malicious activity is hidden from the security team's view. Full visibility into devices reduces the risk of token theft, but DART admits that with so many unmanaged devices accessing the network, this is difficult. They recommend conditional access policies and strict controls for unmanaged devices. As for mitigations, DART noted in its blog post about the MFA workaround that publicly available open-source tools for token theft already exist, and commodity credential theft malware has already been modified to include this method in their arsenal. This article continues to discuss the uptick in token theft from authenticated users, which allows threat actors to bypass MFA protections.

Dark Reading reports "Microsoft Warns of Rise in Stolen Cloud Tokens Used to Bypass MFA"