SaaS applications like Microsoft 365 and Google Workspace are essential tools for modern productivity, communication and collaboration, making them attractive targets for cybercriminals. According to recent research, SaaS breaches increased by 300% between September 2023 and 2024.
Many businesses today deploy strong measures, such as security tokens, to prevent threat actors from accessing their systems and data. These tokens go beyond passwords to further strengthen security by authenticating and authorizing users in 2FA and MFA. However, cybercriminals have found new methods to steal these tokens and evade MFA.
Just this year, an MSP shared on Reddit that a client’s Microsoft 365 email was hacked even though MFA was enabled, and asked the community how the attackers managed to bypass it.
Cybercriminals are becoming more sophisticated and are using techniques such as token theft and session hijacking to bypass MFA. However, many businesses and service providers aren’t fully aware of these attack methods.
In this article, we’ll deep dive into what token theft is, how it works and what you can do to protect your SaaS environments, end users and data.
What is token theft?
Token theft is the process of stealing session tokens or digitally encrypted keys to gain unauthorized access to accounts or systems. Token theft is a major threat to organizations because once hackers capture login tokens, they can impersonate a user or access sensitive information even when passwords or MFA are in place.
Traditionally, users enter their usernames and passwords each time they want to access a service or system. Users using token-based authentication log in once, and the credentials are verified through processes like MFA. After an initial login, the system issues a secure token (like a digital key) that proves the user is authenticated and allows access to protected resources for a set period. Cybercriminals aim to exploit this by stealing valid session tokens.
Some common types of tokens used in modern authentication and security systems include hardware tokens like FIDO 2 security keys, software tokens like Google or Microsoft authenticator, access or API, ID and refresh tokens.
How token theft works and methods used
Stolen tokens allow hackers to evade security controls like passwords and MFA, impersonate users and access accounts or systems.
When a user logs in to a SaaS application, like Microsoft 365 or Google Workspace, the system generates an authentication token (a JSON Web Token (JWT) or session cookie). This token allows the user to access the application and its resources without requiring multiple successive logins. It is stored on the user’s device (in browser storage, memory or session cookies) to keep the user authenticated and maintain an ongoing connection.
If threat actors manage to steal this token while it’s valid, they can insert it into their own browsers or tools and gain instant access to the user’s account. They can then impersonate the user, steal sensitive information or execute malicious activities. In short, attackers effectively hijack the user’s session.
Common methods used to steal tokens
Phishing
Attackers send phishing emails that contain malicious links or attachments. Clicking on those links redirects them to phishing sites designed to mimic real login pages. Attackers leverage AiTM phishing kits that capture both login credentials and tokens, allowing them to bypass MFA.
Malware and infostealers
Cybercriminals use malicious software, such as RedLine or Raccoon Stealer, to extract tokens and session cookies from a user’s browser or devices. The malware scans the browser storage and application memory for tokens that can be stolen.
MitM attacks
In these types of attacks, attackers intercept network communications to capture tokens in transit. They position themselves between the target and the SaaS service (for example, Microsoft 365). They use tools like Evilginx (a reverse proxy server) that intercept authentication sessions and capture valid session tokens.
Token reuse and replay attacks
Once attackers steal the tokens, they can reuse them multiple times to access systems without requiring login credentials or MFA. These methods allow attackers to reuse the stolen tokens to impersonate a user or gain unauthorized access to a service repeatedly until the tokens expire or are revoked.
Token theft vs. session hijacking: What’s the difference?
Token theft and session hijacking are related but distinct attack vectors and use different mechanisms.
Token theft involves extracting or stealing authentication tokens, such as OAuth, API or JWT tokens. In contrast, session hijacking involves taking control of an active session by exploiting a stolen or intercepted session token.
Here’s a quick breakdown of the differences between token theft and session hijacking.
| Characteristic | Token theft | Session hijacking |
| Focus | Authentication token (OAuth, API, JWT) | Session ID or cookie |
| Common attack method | Phishing, malware, MiTM | Brute force, cross-site scripting (XSS), MiTM, session fixation |
| Scope | Broader (APIs, mobile, web apps) | Typically web-session focused |
| Persistence | Longer-lived (depends on token expiry) | Active session or until session expires |
Figure 1: Difference between token theft and session hijacking
The risks and impacts of token theft
Token theft is one of the biggest threats facing businesses today. Stolen tokens allow attackers to:
Bypass MFA
It allows cybercriminals to bypass security measures like passwords and even MFA. This helps them gain persistent unauthorized access without triggering MFA alerts.
Unauthorized account access
Attackers use stolen tokens to impersonate users. Once they gain access to an account, they target other platforms like email, social media or enterprise applications. They can move laterally within a system or network or escalate account privilege to gain higher-level permissions and administrative rights.
Compromise sensitive data
Once an account is compromised, threat actors can access sensitive resources like user data, financial records, emails, chats and other cloud services. This can result in mass data exfiltration from SaaS platforms like Microsoft 365 and Google Workspace. Cybercriminals use the stolen information to demand ransom. Often, the exfiltrated data is sold on dark web forums for financial gain.
The fallout from these risks could result in data breaches, financial losses, non-compliance and reputational damage.
Because of the risks it presents, the Microsoft Detection and Response Team (DART) closely analyzes token theft and its tactics. Microsoft DART aims to empower IT and security teams with the right knowledge and strategies to tackle token theft effectively.
Best practices to prevent token theft
While token theft is a complex, modern threat, there are certain steps you can take to mitigate this risk.
Conditional access policies
Conditional access policies can be applied in environments like Microsoft Entra ID, Azure AD and Google Workspace. These policies evaluate the context of access, which can help reduce the risk associated with token theft. Based on predefined rules, conditional access policies check multiple factors, such as user identity, device compliance status, location/IP address, application being accessed and real-time risk assessments, before granting access.
Educate users
While employees are an organization’s greatest asset, risky user behavior remains one of the weakest links in cybersecurity. In 2024, over 90% of data breaches were tied to human error.
Leverage security awareness training and user susceptibility testing solutions like BullPhish ID (a critical component of Kaseya 365 User) to train users to identify phishing emails and fake login pages. Educate them about the risks of clicking on unknown links, reusing passwords and using public Wi-Fi without a VPN.
Passkeys or hardware keys
Use passkeys or hardware keys like FIDO 2 Security Keys, Microsoft Authenticator Passkeys and Google Passkeys. They add an extra layer of defense since accessing the private key requires Face ID, fingerprint or device PIN. Passkeys offer a more reliable and user-friendly authentication mechanism against cyberthreats like token theft.
How Kaseya 365 User helps prevent token theft
As cybercriminals and their tactics continue to evolve rapidly, businesses need a robust, layered defense strategy to protect their SaaS environments, end users and data at every level.
Kaseya 365 User is a comprehensive subscription-based offering that includes all the essential cybersecurity components to safeguard your Microsoft 365 or Google Workspace environment. From detecting suspicious activity in real-time and automatically responding to threats to blocking phishing emails before they reach employee inboxes and securely backing up and recovering your SaaS data, Kaseya 365 User has got your back.
Our security solution automatically revokes session tokens to block unauthorized access and resets passwords when an attack is detected. It correlates device activity, such as login patterns, with account activity to increase the likelihood of detecting compromises. By reconciling device data with SaaS application data, it ensures that only authorized users on authorized devices can access your organization’s critical SaaS applications.
Discover how Kaseya 365 User helps you prevent, respond to and recover from token theft attacks. Learn more.
