Collection: Latest insights and cybersecurity resources
Token Theft Part 2 - Defensive
Defenders should focus on those users who trigger multiple alerts rapidly. For example, a risky sign-in followed closely by indicators of persistence techniques, such as mailbox rule creation.
Two detection sources are very helpful in detecting and alerting of token theft attacks, for example: Azure Active Directory Identity Protection and Microsoft Defender for Cloud Apps