Attack Techniques
What Is Token Theft?
Token theft is a cyberattack where threat actors compromise and steal authentication tokens (OAuth tokens, session tokens, API keys, or refresh tokens) to gain unauthorized access to accounts, systems, or data.
Token theft is a cyberattack where threat actors compromise and steal authentication tokens (OAuth tokens, session tokens, API keys, or refresh tokens) to gain unauthorized access to accounts, systems, or data. Unlike password theft, stolen tokens bypass multi-factor authentication entirely because they are issued after successful authentication, allowing attackers to impersonate legitimate users without triggering MFA prompts or login alerts.
Authentication tokens are pieces of information stored locally on a device that act as mechanisms telling online services that the device has authenticated recently enough that it does not need to do so again according to Microsoft Community Hub and Huntress.
How does token theft work?
Token types at risk
OAuth access tokens are short-lived (minutes to hours), issued after user authorization, and provide delegated access to protected resources. OAuth refresh tokens are long-lived (weeks to months), enable obtaining new access tokens without re-authentication, and are most dangerous when stolen because they "survive password resets" and enable persistent attacker access.
Session tokens maintain authenticated state after login, allow users to access multiple resources without re-authenticating, and are typically cookie-based in web applications. API tokens or keys provide programmatic access to services, often with indefinite lifespans and broad permissions, and are frequently hardcoded in applications or exposed in logs according to Obsidian Security, Microsoft Learn, and Kaseya.
Attack vectors
Adversary-in-the-Middle (AiTM) phishing involves attacker creating malicious website directing victim via phishing email. The victim logs in to legitimate service through attacker's proxy. The attacker captures both credentials AND authentication tokens. The attacker now has tokens enabling access without MFA.
Malware and infostealer involve malware infecting victim's device, extracting tokens from browser storage, memory, or app caches, and sending stolen tokens to attacker infrastructure. This works regardless of MFA implementation.
Vendor and SaaS compromise involves attacker compromising third-party vendor or cloud service, accessing stored OAuth tokens for integrated applications, and gaining access to all connected services using compromised tokens.
Hardcoded API keys involve API tokens embedded in source code and exposed via GitHub repos, public storage, or code leaks, which provides permanent programmatic access.
Consent phishing involves attacker tricking user into authorizing malicious OAuth application. The user grants application broad permissions. The attacker gains long-lived tokens with extensive access.
Code and log exposure involves tokens accidentally committed to version control, exposed in error messages or application logs, and available to anyone with repository or log access according to Obsidian Security, Microsoft Security Blog, Triskele Labs, and Kaseya.
Exploitation flow
The attacker captures or steals token via methods above. The attacker constructs API or HTTP requests including stolen token. The system validates token signature and expiration. The system processes request as if from legitimate user. The attacker gains full authenticated access. MFA is completely bypassed because token was issued post-authentication according to Microsoft Learn, Kaseya, and Obsidian Security.
Critical advantage
Stolen tokens generate "none of these signals"—no failed logins, no MFA prompts, no authentication attempts to monitor. Token-based access appears identical to legitimate user activity according to Obsidian Security and Microsoft Security Blog.
How does token theft differ from other attacks?
Aspect | Token Theft | Password Theft | Session Hijacking | MFA Bypass |
|---|---|---|---|---|
MFA Bypass | Yes (complete bypass) | No (triggers MFA) | Yes (pre-auth'd) | N/A (this is it) |
Detection Difficulty | Very High (valid access) | Low (login event) | High (no new login) | Very High (no alerts) |
Re-auth Needed | No (token valid) | Yes (MFA required) | No (session valid) | No (token valid) |
Persistence | Limited (token expiration) | Unlimited (password static) | Limited (session timeout) | Varies (token-based) |
Scope of Access | Depends on token scope | Full account access | Full session access | Limited to token permissions |
Revocation | Immediate if detected | Immediate (password change) | Immediate (logout) | Depends on implementation |
Attack Complexity | Medium (AiTM, malware) | Medium (phishing, keylogger) | Medium (interception) | High (multiple vectors) |
Ideal for | Bypassing MFA entirely for post-authentication access; long-term API abuse | Initial account compromise when MFA is not deployed | Maintaining access without authentication alerts | Various techniques depending on MFA implementation weaknesses |
Why does token theft matter?
Token theft has emerged as one of the fastest-growing MFA bypass techniques, fundamentally challenging the effectiveness of traditional multi-factor authentication.
Token theft surge (2024-2025)
Token theft attacks have surged over 111% year-over-year, representing one of the fastest-growing MFA bypass techniques according to Microsoft Community Hub in 2024.
Adversary-in-the-middle (AiTM) attacks (2024)
Microsoft's Digital Defense Report 2024 documented a 146% rise in AiTM phishing attacks, which directly correlate with token theft campaigns. AiTM phishing kits like Evilginx capture both credentials and tokens simultaneously according to Microsoft Digital Defense Report in 2024.
MFA bypass prevalence (2024-2025)
Token theft was responsible for 31% of breaches targeting Microsoft 365 instances in 2025 according to Microsoft Learn and FRSecure in 2025. Eighty percent of recent breaches involving MFA bypass occurred through session token abuse according to Microsoft 2025 Trend Report. Cisco Talos found that 50% of their 2024 incident responses involved MFA bypass attacks in 2024.
MFA effectiveness gap (2024-2025)
FRSecure responded to 65 business email compromise incidents in 2024-2025 (48.15% of all investigations), and 79% of victims had correctly implemented MFA. Despite MFA deployment, token theft enabled breach success, proving MFA alone is insufficient defense according to FRSecure in 2025.
SaaS breach growth (2023-2024)
SaaS breaches increased by 300% between September 2023 and September 2024, with API tokens and OAuth credentials as primary attack vectors in 2024.
Detection blindness
Token-based access generates zero traditional security signals—no failed logins, no MFA prompts, no unusual authentication patterns—making stolen tokens nearly invisible to legacy security monitoring according to Obsidian Security and Microsoft Security Blog.
What are the limitations of token theft?
Token expiration limits window
Most access tokens expire within hours (short-lived by design), limiting exploitation window. However, refresh tokens last much longer.
Refresh token expiration
Even long-lived refresh tokens eventually expire, requiring attacker to use them during validity window.
Token binding defeats stolen tokens
If tokens are cryptographically bound to device (IP, TLS cert, device key), stolen tokens are useless from attacker's device.
Conditional access policies
Risk-based policies can detect and block token reuse from impossible travel locations or non-compliant devices.
Continuous access evaluation (CAE)
Real-time policy enforcement can revoke tokens immediately if user risk changes or anomalous activity detected.
Token revocation
Organizations maintaining token blacklists can immediately revoke compromised tokens across all services.
Narrow token scope
Tokens issued with minimal required permissions (principle of least privilege) limit damage if compromised.
Audit logging
Comprehensive logging of token creation, use, and revocation enables detection of token reuse anomalies.
How can organizations defend against token theft?
Short-lived token architecture
Issue access tokens with 15-60 minute lifespans. Pair with long-lived refresh tokens (7-30 days) with rotation enabled. Automatic token expiration forces re-authentication if compromised token is detected. This reduces exposure window significantly compared to long-lived tokens according to Microsoft Learn, Obsidian Security, and Kaseya.
Token binding (token protection)
Cryptographically bind tokens to device using device keys or TLS certificates. This ensures stolen token cannot be used from attacker's device. For Microsoft Entra ID, Primary Refresh Tokens (PRTs) are bound to device enrollment. This prevents successful token replay attacks and requires infrastructure support such as hardware-backed keys or TPM according to Microsoft Learn, Microsoft Community Hub, and CyberHoot.
Conditional access policies
Enforce device compliance checks (managed devices only). Implement location-based access restrictions. Require specific network connectivity (corporate VPN). Block access from impossible travel scenarios. Enforce authentication strength based on risk level. Combine multiple conditions (device plus location plus risk) for defense-in-depth according to Microsoft Learn, Kelser Corp, and T-Minus 365.
Continuous access evaluation (CAE)
Enable real-time policy enforcement and token revocation. Immediately invalidate tokens upon detected risk changes. Force re-authentication if anomalous access patterns detected. Detect and block tokens used from non-compliant devices. Example: If token used from unauthorized location or device, deny access and revoke token according to Microsoft Learn and Microsoft Community Hub.
Token revocation endpoints
Maintain centralized token revocation system. Enable immediate deactivation if breach detected. Implement token blacklists for all compromised tokens. Coordinate revocation across all integrated services. Audit all revocation events according to Obsidian Security and Microsoft Learn.
Monitoring and detection
Monitor for token usage from new devices or unusual locations. Alert on bulk token requests or unusual API activity. Track tokens used outside expected time windows. Detect impossible travel (token use from geographically distant locations). Monitor for sudden permission scope changes. Alert on tokens used after password changes (should require re-auth) according to FRSecure, Microsoft Security Blog, and Obsidian Security.
OAuth and SaaS security
Monitor new OAuth authorizations for suspicious applications. Audit integrated applications and revoke unused ones. Require explicit user consent for OAuth permissions. Implement OAuth consent phishing detection. Monitor refresh token usage patterns. Implement refresh token rotation (new token issued each use) according to Obsidian Security and Microsoft Learn.
Credential protection
Implement hardware-based MFA (FIDO2 keys) resistant to token theft. Deploy passwordless authentication where possible. Use Windows 11 security features (TPM, Credential Guard). Enable browser isolation to prevent malware token theft. Conduct regular malware scans and EDR deployment according to Microsoft Security Blog, Kaseya, and Huntress.
API token security
Never hardcode API tokens in source code. Use secret management systems (Azure Key Vault, HashiCorp Vault). Implement token rotation policies for API keys. Audit API token usage and scope. Revoke unused API tokens immediately. Monitor for API tokens exposed in public repositories according to Obsidian Security and Microsoft Learn.
Audit and logging
Log all token creation, validation, and revocation events. Correlate token usage with actual user activity. Alert on token use inconsistent with user behavior. Maintain detailed audit trails for forensic analysis. Implement real-time log analysis for anomaly detection according to Microsoft Learn, FRSecure, and T-Minus 365.
FAQs
Why does token theft bypass MFA?
MFA protects the initial login by requiring a second factor. However, tokens are issued AFTER MFA is satisfied. Once an attacker steals a valid token, they already have authenticated access, rendering MFA useless. The attacker doesn't need to enter a password or second factor because they're not logging in—they're simply replaying a valid token according to Microsoft Learn and Obsidian Security.
What is the difference between token theft and session hijacking?
Token theft is stealing a token. Session hijacking is the exploitation of a stolen session token. Session hijacking typically refers to HTTP cookies, while token theft encompasses OAuth tokens, API keys, and other authentication mechanisms. The distinction is primarily one of scope—token theft is broader according to Obsidian Security and Kaseya.
Can token binding prevent token theft?
Token binding cannot prevent the initial token theft but makes stolen tokens useless. If a token is bound to a device's cryptographic key, the stolen token cannot be used from a different device. The attacker would need to either steal the device itself or compromise the device key according to Microsoft Learn and CyberHoot.
How do infostealers steal tokens protected by HttpOnly flags?
Infostealers run with system-level access, allowing them to read tokens directly from browser memory, caches, and storage—bypassing any JavaScript-level protections like HttpOnly. The HttpOnly flag only prevents JavaScript from accessing tokens. Malware with system access can extract them anyway according to Obsidian Security and Microsoft Security Blog.
What is a refresh token and why is it more dangerous than access tokens?
Refresh tokens are long-lived credentials (weeks to months) that enable obtaining new access tokens without user interaction. They are more dangerous because they survive password resets and provide persistent access. If a refresh token is stolen, the attacker can request unlimited new access tokens until the refresh token is revoked according to Obsidian Security and Microsoft Learn.
