Microsoft has been published a very good summary about #AzureAD security trends in 2023 which considered post authentication attacks, such as #TokenTheft: https://microsoft.com/en-us/security/blog/2023/01/26/2023-identity-security-trends-and-solutions-from-microsoft/

If you are interested to learn more about Token replay attacks, check the following blogs:

🔗 Token tactics: How to prevent, detect, and respond to cloud token theft by Microsoft DART team: https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/

This article describes Adversary-in-the-middle (AitM) phishing/Pass-the-cookie attack scenarios and recommendations.

🔗 Abuse and replay of Azure AD refresh token from Microsoft Edge in macOS Keychain:
https://www.cloud-architekt.net/abuse-and-replay-azuread-token-macos/

I've written this blog post about token replay on #macOS devices last year. It covers an attack scenario to exfiltrate tokens from Keychain which is used to store cached Azure AD tokens for “logged in” Edge profiles on macOS devices.

🔗 Azure AD Attack & Defense: Replay of Primary Refresh (PRT) and other issued tokens from an Azure AD joined device:
https://github.com/Cloud-Architekt/AzureAD-Attack-Defense/blob/main/ReplayOfPrimaryRefreshToken.md

A comprehensive overview about attack and defense scenarios primary refresh token (PRT) & other tokens on Windows has been published by Sami Lamppu and and me. The article includes many references and links to other community resources around this topic.

@datenschutzbochum

"Threat actors are stealing #authentication tokens already verified by multifactor authentication (MFA) to breach organizations' systems"

Seems to be a pretty nasty attack as organizations haven't considered #tokentheft as part of their #incident response plan....🤨

#cybersecurity #cyberattack #mfa #microsoft

Sedan några månader tillbaka har jag genomfört en föreläsning om InfoStealers där jag försöker utan teknikskt djup förklara hur marknaden fungerar för "loggar". Det handlar om sammanflätningen av våra privata och professionella liv.

Hur som helst.

Microsoft har publicerat en artikel på ämnet ganska nyligen som tar upp det här ämnet men från ett tekniskt perspektiv. Bra artikel.

https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/

#Microsoft #TokenTheft #InfoStealer