100%
MFA bypass rate when session token is successfully stolen: the token already contains the MFA proof
< 5 min
Median time between credential harvest and token replay in automated AiTM attacks
78%
Of BEC attacks in 2025 involved session token theft rather than password compromise (Microsoft)
3
Log table types in Entra ID that must be queried together for full token theft visibility

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Session token hijacking is the primary reason MFA-protected accounts are still getting compromised at scale in 2026. The attack does not break MFA. It waits until MFA is complete, steals the token that proves authentication succeeded, and replays that token from the attacker's device.

The token is the proof of authentication. Steal the proof, and you do not need to repeat the authentication. Detecting this requires looking at sign-in behavior after the token is issued: not at the authentication event itself.

How the Attack Works

The most common token theft vector is adversary-in-the-middle (AiTM) phishing. The attacker stands up a reverse proxy (Evilginx, Modlishka, or custom tooling) that sits between the victim and the real Microsoft login page. The victim enters their credentials and completes MFA on the proxy, the proxy forwards everything to Microsoft, Microsoft issues a session cookie, and the proxy captures that cookie before delivering the page to the victim.

The attacker now has a valid session token issued to the victim's identity, with MFA already satisfied. They can import that cookie into a browser and access Outlook, SharePoint, Teams, and any other service the victim is authorized for: without knowing the password or having the victim's phone.

A second, less common path is malware-based cookie theft. Infostealers like RedLine, Raccoon, and Lumma Stealer harvest browser cookie stores and transmit them to the attacker. The attacker sorts through harvested cookies for Entra ID tokens and replays any that are still valid.

In both cases, the initial Entra ID authentication event looks clean: correct credentials, MFA passed, successful sign-in from what appears to be the user's location (the proxy forwards from a server near the victim). Detection requires looking at what happens with the session after that point.

What to Look For in Entra ID Logs

Microsoft Entra ID sign-in activity appears across three log tables in Microsoft Sentinel:

  • SignInLogs: interactive sign-ins (user enters credentials in a browser)
  • AADNonInteractiveUserSignInLogs: non-interactive sign-ins (app using a refresh token, background token refreshes)
  • AADServicePrincipalSignInLogs: service principal authentication

Token replay attacks appear almost entirely in AADNonInteractiveUserSignInLogs. The initial theft occurs during an interactive session; subsequent access using the stolen token appears as non-interactive sign-ins from the attacker's infrastructure.

Key anomaly patterns:

Impossible travel: The interactive session originates from the user's expected location. Non-interactive sessions using the same refresh token appear within minutes from a geographically distant IP address. A token physically cannot be used from New York and London within 8 minutes unless it was stolen.

ASN mismatch on refresh token: The interactive sign-in originates from the user's ISP (Comcast, Verizon, corporate IP block). The subsequent non-interactive sessions using the same refresh token originate from a hosting provider or VPN ASN (DigitalOcean, Vultr, Mullvad, NordVPN). Legitimate users do not refresh their Outlook token from a cloud hosting provider.

Unfamiliar device in non-interactive log: The deviceDetail.deviceId is empty or null in non-interactive sessions, while the original interactive session shows a managed, Intune-registered device. Legitimate refresh token use from a managed device carries the device ID forward.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Three KQL Queries for Microsoft Sentinel

These queries run against Entra ID log tables in Microsoft Sentinel. Replace the time window and thresholds as needed for your environment.

Query 1: Impossible travel on refresh token sessions

let timeWindow = 1h;
let maxDistanceKm = 500;
let interactiveSessions = SignInLogs
    | where TimeGenerated > ago(timeWindow)
    | where ResultType == 0
    | project UserId, UserPrincipalName, IPAddress, Location, TimeGenerated
    | summarize InteractiveIP = any(IPAddress), InteractiveTime = min(TimeGenerated) by UserId, UserPrincipalName;
AADNonInteractiveUserSignInLogs
    | where TimeGenerated > ago(timeWindow)
    | where ResultType == 0
    | project UserId, UserPrincipalName, IPAddress, TimeGenerated
    | join kind=inner interactiveSessions on UserId
    | where IPAddress != InteractiveIP
    | extend TimeDiffMin = datetime_diff('minute', TimeGenerated, InteractiveTime)
    | where TimeDiffMin < 60
    | project UserPrincipalName, InteractiveIP, NonInteractiveIP = IPAddress, TimeDiffMin

Query 2: Hosting provider ASN on non-interactive sessions for known corporate users

let corporateASNs = dynamic(["AS7922", "AS701", "AS20057"]); // Replace with your ISP ASNs
let hostingASNKeywords = dynamic(["DIGITALOCEAN", "VULTR", "AMAZON", "LINODE", "OVH", "MULLVAD", "NORDVPN"]);
AADNonInteractiveUserSignInLogs
    | where TimeGenerated > ago(1d)
    | where ResultType == 0
    | where isnotempty(IPAddress)
    | extend ASNInfo = tostring(parse_json(tostring(DeviceDetail)).operatingSystem)
    | where NetworkLocationDetails has_any(hostingASNKeywords)
    | project UserPrincipalName, IPAddress, NetworkLocationDetails, AppDisplayName, TimeGenerated

Query 3: Non-interactive sign-in with no registered device where user normally uses managed device

let managedUsers = SignInLogs
    | where TimeGenerated > ago(7d)
    | where ResultType == 0
    | where isnotempty(DeviceDetail)
    | where DeviceDetail has "deviceId"
    | summarize by UserPrincipalName;
AADNonInteractiveUserSignInLogs
    | where TimeGenerated > ago(1d)
    | where ResultType == 0
    | where UserPrincipalName in (managedUsers)
    | where isempty(DeviceDetail) or DeviceDetail == "{}"
    | project UserPrincipalName, IPAddress, AppDisplayName, TimeGenerated

Five-Step Triage Flow When an Alert Fires

When any of the above queries produce results, follow this triage sequence:

Step 1: Confirm the anomaly is not travel or VPN use. Contact the user. Ask whether they traveled in the past 24 hours or connected through a personal VPN. Document the response. If yes, mark benign and tune the exclusion. If no, treat as compromised.

Step 2: Revoke all active refresh tokens. In the Entra ID admin portal: Users → select user → Revoke sessions. In PowerShell: Revoke-MgUserSignInSession -UserId <UPN>. This invalidates all existing refresh tokens within 1 hour, forcing reauthentication from all devices.

Step 3: Disable sign-in. Block the user account while investigation proceeds: Users → select user → Block sign-in. This stops further access while you assess the scope.

Step 4: Review non-interactive log for the past 72 hours. Pull all non-interactive sign-in events for the affected user and identify which applications the attacker accessed. Common targets: Exchange Online (email access and rule creation), SharePoint (document exfiltration), Teams (communication interception).

Step 5: Check for attacker persistence mechanisms. Look for new OAuth app consent grants, new Outlook inbox rules, new forwarding rules, and new registered devices in the account. These are how attackers maintain access after token revocation.

The bottom line

Session token hijacking is the current leading MFA bypass technique because it does not attack the authentication step at all. The detection window is the post-authentication behavior: where is the refresh token being used, from what network, on what device? The three KQL queries above cover the highest-signal anomalies. Run them as scheduled analytics rules in Sentinel with a 1-hour window and alert on any result. When an alert fires, the five-step triage determines within 20 minutes whether you have a true positive and contains the breach before the attacker establishes persistence.

Frequently asked questions

How does session token hijacking bypass MFA?

Session token hijacking steals the authentication cookie issued after MFA succeeds. The stolen token already contains proof that MFA was completed, so replaying it on a different device bypasses the MFA challenge entirely. The attacker never needs the user's password or second factor.

How do I detect token theft in Microsoft Entra ID?

Query AADNonInteractiveUserSignInLogs in Microsoft Sentinel for three patterns: impossible travel (same refresh token used from two geographically distant IPs within minutes), hosting provider ASN in non-interactive sessions for users who normally sign in from corporate or residential IPs, and missing device ID in non-interactive sessions for users who always authenticate from managed devices.

What should I do first if I suspect a session token is stolen?

Immediately revoke all refresh tokens using Revoke-MgUserSignInSession in PowerShell or the Entra ID admin portal, then disable the user's sign-in. This invalidates the stolen token within one hour and prevents further access while you investigate.

What is the difference between session token hijacking and credential theft?

Credential theft captures a user's username and password: the attacker then authenticates normally, triggering MFA if enforced. Session token hijacking captures an already-authenticated session token (a refresh token or access token) from memory, a browser, or a network intercept: the attacker presents the token directly to the identity provider, bypassing the authentication step including MFA entirely. This is why token hijacking is a critical MFA bypass technique and why Conditional Access policies must evaluate token binding, device compliance, and continuous access evaluation, not just initial authentication.

Which threat actors use session token hijacking?

Token theft is a core technique for financially motivated groups targeting cloud environments. Scattered Spider (UNC3944) extensively uses browser session cookie theft via infostealer malware and adversary-in-the-middle phishing toolkits like Evilginx2 and Modlishka. APT29 (Cozy Bear) has used token theft against M365 and Azure environments in multiple campaigns. The common delivery mechanism is infostealer malware (Raccoon Stealer, RedLine, Vidar) that extracts session tokens from browser profile directories and uploads them to C2 infrastructure.

How do I use Continuous Access Evaluation (CAE) to reduce token theft risk?

Continuous Access Evaluation (CAE) in Entra ID shortens the lifetime of access tokens and pushes near-real-time policy enforcement to capable applications. When a user's account is disabled or a sign-in session is revoked, CAE-capable applications enforce the change within minutes rather than waiting for the token to expire (typically 60-90 minutes). Enable CAE under Entra ID Conditional Access settings. Applications must support CAE to benefit: Microsoft 365 apps (Exchange, Teams, SharePoint) support it natively. Third-party apps require CAE claim challenges support in their authentication library.

Sources & references

  1. Microsoft: Detecting and Mitigating AiTM Phishing Attacks
  2. CISA: Scattered Spider Advisory AA23-320A
  3. Microsoft Entra ID Sign-in Log Schema

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.