Token theft protection with Microsoft Entra, Intune, Defender XDR & Windows

Mechanics Team
8 min readOct 8, 2024

--

Prevent attackers from stealing your identity and data by protecting your tokens. In single sign-on systems like SAML and OAUTH, tokens are how services know who you are and what you can do. When you sign in to your machine with your Microsoft Entra ID account, you are getting a session token you can use to access things like your email, teams and other apps. Check out new capabilities like Credential Guard in Windows enforced by device policies in Intune, Token Protection enforcement in Microsoft Entra, and Token theft detections in Microsoft Sentinel and Defender XDR.

Alex Weinert, from the Microsoft Entra team, explains what tokens are and how token theft works. Then, Jeremy Chapman, Director of Microsoft 365 shows how to defend yourself from these attacks.

Defend against token theft attacks.

Take a look at Credential Guard in Windows enforced by policies in Intune, Token Protection in Microsoft Entra, and Token theft detections in Microsoft Sentinel & Defender XDR. Click to watch.

Prevent token replay attacks with token protection.

Even if malware copies your session token, attackers can’t use it to access your cloud storage or confidential documents. Check it out.

Defend against token theft with a multi-layered approach.

Use managed, compliant devices with Local Security Authority Protection & Credential Guard. Enforce via Windows policies and Conditional Access for secure access control. See it here.

Watch our video here:

QUICK LINKS:

00:00 — Token theft attacks
01:39 — Token basics
02:59 — Token theft demo
03:41 — How to use token protection
05:22 — Additional Token theft defenses
06:25 — How to detect and shut down attacks
08:01 — Wrap up

Link References

Get started at https://aka.ms/TokenTheftDefense

Unfamiliar with Microsoft Mechanics?

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Keep getting this insider knowledge, join us on social:

Video Transcript:

-If you want to prevent attackers from stealing your identity and data, you need to protect your tokens. In single sign-on systems like SAML and OAuth, tokens are how services know who you are and what you can do. When you sign into your machine with your Entra ID account, you are getting a session token you can use to access things like your email, Teams, and other apps.

-You can think of these tokens like a park pass that you get at a box office that lets you go to a theme park and ride all the rides. Whoever has that pass gets to use it, which means that if someone steals it from you after you get it, they have the same access as you. Conceptually, this idea of waiting for a good user to get a pass and then stealing it to get access is what we call an identity token theft.

-The vast majority of attacks are still credential attacks, mostly targeting passwords, so multi-factor authentication, preferably with passkeys, remains absolutely essential. But as more people use MFA, attackers are increasingly turning to credential bypass attacks, like token theft. To put it into perspective, we detected 147,000 token theft attacks in the last year, which is a 111% increase compared to the previous year, and we expect this growth to continue.

-So today, I’m going to explain tokens a little more and how token theft works, and then most importantly, I’ll show you how Microsoft can help you defend yourself from these attacks. We’ll show you new capabilities like Credential Guard in Windows enforced by device policies in Intune, token protection enforcement in Microsoft Entra, and token theft detections in Microsoft Sentinel and Defender XDR.

-Now, as we work together to move from vulnerable passwords to stronger phishing-resistant multi-factor auth like passkeys, attackers are increasingly having to wait until the good user gets the token and then steal it from their device to get their data. When you sign into a site or service using your security credentials, including multi-factor authentication, an identity provider issues you tokens.

-These tokens describe who you are and what you can do, and you present them to access applications and services. Tokens are what your signed-in browser, apps, or mobile device management service stores in the background so that you don’t have to reenter your credentials every time you go to a resource.

-But if an attacker accesses these tokens and makes a copy, they can get to your resources in the same way without needing your username, password, or a successful MFA challenge. Back to the theme park analogy. If names or photos are not printed on your pass, if they are stolen, someone can easily use the pass, enter the park, and enjoy the rides that you paid for. Similarly, unless you tie the tokens to your device, your tokens can be stolen and replayed by attackers who can access your resources for as long as the tokens are valid.

-And that amusement park wall? That’s like your company’s security perimeter, and those rides, they’re your data. So, let’s make this real with an example that we’re seeing a lot lately. First, a user signs into a service like a cloud storage account using multifactor auth, and they get issued a session token.

-They click on a malicious link, which installs malware under that user’s context, which in turn copies the session token and then sends it to the attacker. Now, with a token, the attacker uses it to access their cloud storage and download confidential documents or whatever they want.

-That’s just one approach, and there are other methods of token theft, like copying tokens from network proxies or routers or extracting them from server logs, so we need token protection options to prevent these types of attacks. The first thing we want to do, analogously, is to bind the park pass to the purchaser by printing their photo and name on the pass. For that, we’ll use token protection, sometimes referred to as token binding. Currently in preview, which is a key part of Microsoft Entra’s effort to reduce token theft attacks.

-This is a new method that requires apps and services to be enlightened in order for the token to be bound to your device, and currently works with Microsoft Intune enrollment, Outlook, SharePoint, and Microsoft Teams. It ensures that tokens only work on the specific device the token was issued to and not any other device. And now you can create policies to require users to only use apps that support token protection.

-Let me show you how. Using Conditional Access policies, you can require bound tokens for accessing resources. I’m going to click into this policy to show you how it was set up. In the policy itself, first, under Target Resources, you’ll see that I have Office 365 Exchange and SharePoint Online selected.

-Next, under Conditions, in Device Platforms, we’ve configured Windows as the platform. Token protection is available for Windows clients today, and we’ll extend it to macOS, iOS, Android, and other clients over the next year. In Client Apps, you’ll also configure it, this time to use mobile apps and desktop clients, and in Access Controls, under Session, you’ll choose Require Token Protection for Sign-in Sessions. This session control ties tokens to the device that they were issued to.

-Then once you enable and create the policy, it ensures that session tokens are bound to the device to prevent attackers from using stolen tokens from devices that the tokens were not explicitly issued to. Token protection is currently the strongest defense against token theft, but it is not supported by all applications or platforms, so we offer other countermeasures that you can use to reduce the risk and impact of token theft attacks using a defense-in-depth approach.

-First, you can reduce the risk of successful token theft by requiring managed and compliant devices. This means for Windows, ensuring Local Security Authority Protection is enabled to prevent untrusted processes from accessing tokens and requiring Credential Guard to protect tokens for on-premises and hybrid joined devices. These are default settings in new Windows 11 devices with its higher security baseline.

-You can enforce this using Windows policies, like I’m showing here in Microsoft Intune for Windows 10 and later. And using a device compliance check in Conditional Access, you can also ensure that these settings are in place prior to granting access to resources for the requesting device. Taken together, these rules reduce the likelihood that a token can be stolen from a device at all. That said, attackers are clever and not every endpoint can support these methods, so as part of defense-in-depth, let’s look at how we can detect and shut down these attacks as they happen.

-First, Microsoft Entra ID has detections for token theft built in and will evaluate user and sign-in risk automatically when token theft is suspected. So, configuring risk-based access policies allows you to block or revoke tokens when token theft is suspected.

-While traditional token evaluation happens at refresh, continuous access evaluation, which is automatically enabled whenever the applications support it, allows Microsoft Entra ID to take immediate action and re-authenticate in real time. Additionally, if I move over into the session controls for this policy, there are options to strictly enforce location policies so that the token can only be used from the subnet to which the token was issued.

-And using Microsoft Entra Internet Access, you can enforce a compliant network check using Conditional Access policies. With these controls configured, the policies will block any access attempt unless the user is connecting from a Microsoft Entra Internet Access-enabled device and network specific to your tenant. It prevents an attacker from using a token outside of your Microsoft Entra Internet Access environment.

-Finally, stay on top of potential token theft-based incidents so that you can quickly detect and contain them with Microsoft Entra ID Protection, which is fully integrated with Microsoft Defender, and you can easily connect Microsoft Entra ID signals to Microsoft Sentinel or to your preferred SIEM.

-Token theft is an increasingly serious threat to your identity and data security, and Microsoft Entra, along with Windows, Microsoft Intune, and Microsoft Defender XDR, can help you protect your tokens to stop replay attacks.

-To learn more and to get started, check out aka.ms/TokenTheftDefense and keep watching Microsoft Mechanics for more updates, subscribe if you haven’t yet, and thanks so much for watching.

--

--