How to Protect Your Microsoft Account from Session Token Hijacking

A guide to understand and prevent a common cyber-attack technique.

What are session tokens and how are they used?

Session tokens are pieces of data that are generated when a user logs in to a website or an online service. They are used to identify the user and maintain their session across different pages or requests. Session tokens are usually stored in cookies, local storage, or hidden fields in the web browser.

Session tokens are meant to be secure and unique, but they can be compromised by hackers in various ways. One of the most common methods is session token hijacking, also known as session hijacking or cookie hijacking. This is when a hacker obtains a valid session token from a victim and uses it to impersonate them on the website or service. This way, the hacker can access the victim’s account, data, and privileges without needing their username or password.

Let’s just clarify this.  With a “valid session token” copied from a user’s computer a bad actor can paste the session token to their own computer browser and will be logged in without the need for the users USERNAME, PASSWORD or MFA CODE.  Yes, that is correct it will bypass the password AND MFA.  This is key because whilst MFA is touted as the way to fully secure your account this hacking method bypasses MFA.

How can a hacker hijack a session token from a Microsoft account?

There are several techniques that a hacker can use to hijack a session token from a Microsoft account, such as:

• Sniffing: This is when a hacker intercepts the network traffic between the victim and the website or service and captures the session token from the cookies or headers. This can be done on unsecured or public Wi-Fi networks, or by using malware or spyware on the victim’s device.
• Cross-site scripting (XSS): This is when a hacker injects malicious code into a web page that the victim visits and executes it on their browser. The code can then steal the session token from the cookies or local storage and send it to the hacker’s server.
• Cross-site request forgery (CSRF): This is when a hacker tricks the victim into clicking on a link or a button that sends a request to the website or service with the victim’s session token. The request can then perform an unwanted action on the victim’s account, such as changing their password, deleting their data, or transferring their funds.
• Phishing: This is when a hacker impersonates a legitimate website or service and lures the victim into entering their credentials or clicking on a malicious link. The hacker can then capture the session token from the login response or redirect the victim to the real website or service with the hacker’s session token.

What settings in Microsoft admin center can prevent session token hijacking?

Microsoft admin center is a web-based portal that allows administrators to manage various aspects of their Microsoft 365 or Azure services, such as users, groups, devices, security, and compliance. Microsoft admin center also provides several settings and features that can help prevent session token hijacking, such as:

• Conditional access: This is a security feature that allows administrators to define and enforce policies that control who, where, when, and how users can access the services. Conditional access can restrict access based on factors such as device, location, network, app, or risk level. Conditional access can prevent hackers from using the session token from a different device, location, network, or app than the legitimate user.
• Phish Resistant MFA: Phishing-resistant MFA is designed to prevent phishing attacks by using more secure authentication methods that are harder to intercept or replicate. We recently created an article on phish-resistant MFA here: Phishing-Resistant MFA: The New Cybersecurity Standard – Fuse Technology.

Conclusion

Session token hijacking is a common and dangerous cyber-attack technique that can compromise a user’s Microsoft account and data. To protect against this threat, administrators and users should enable and use the security settings and features available in Microsoft admin center. These settings and features can help prevent hackers from obtaining, using, or abusing the session token, and enhance the overall security and privacy of the Microsoft services.

Conditional Access Policies are not enabled by default in Microsoft Security Admin and require highly technical resources to implement.  To ensure your Australian based business is secure and not at risk of token hijacking, contact Phil Aldridge at Fuse Technology so we can help you find out how secure you are and let you know how to fill any security holes we find.