Token Theft
Attack technique where adversaries steal OAuth tokens to impersonate users without needing credentials.
What is Token Theft?
After successful authentication, applications receive OAuth tokens that grant access without re-authenticating. Attackers who steal these tokens (through malware, adversary-in-the-middle attacks, or compromised devices) can impersonate the user for the token lifetime. Unlike password theft, token theft bypasses MFA because authentication already occurred.
In Microsoft 365
Token protection in Conditional Access binds tokens to specific devices, making stolen tokens useless on other devices. Continuous Access Evaluation can revoke tokens quickly when compromise is detected. Sign-in frequency controls limit token lifetime.
Examples
- 1Adversary-in-the-middle stealing session tokens
- 2Malware extracting tokens from browser storage
- 3Token replay from compromised device
Related TrueConfig Controls
These controls help implement and verify token theft in your Microsoft 365 environment.