Introduction:
In this 2nd part of the “Token Theft” series, we will cover the blue team topics of how to detect, defend and respond to these attacks.
By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly.
Detection:
From the very simple perspective, when a token is replayed, the following sign-in from the threat actor often triggers anomalous sign-in and impossible travel alerts.
Please note that in this case, a single alert is rarely a clear indication of the true positive attack. A successful token theft attack leads to other multiple alerts because the attackers will try to implement persistence techniques and will try to hide all malicious activity. The token theft attack usually leads to access to the victim's Microsoft Exchange account (mailbox) and escalates into the Business Email Compromise (BEC) campaign (see here).
This is why defenders should focus on those users who trigger multiple alerts rapidly. For example, a risky sign-in followed closely by indicators of persistence techniques, such as mailbox rule creation.
Two detection sources are very helpful in detecting and alerting of token theft attacks:
- Azure Active Directory Identity Protection
- Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps detects token theft through the following alerts:
- Suspicious inbox manipulation rule.
The attackers create an inbox rule to hide their malicious activities.
- Impossible travel activity.
The attackers used multiple proxies or virtual private networks (VPNs) from various countries or regions. Sometimes, their attack attempts happen at the same time the actual user is signed in, thus raising impossible travel alerts.
- Activity from infrequent country.
Because the attackers used multiple proxies or VPNs, the egress endpoints of these VPN and proxy servers are uncommon for the user, thus raising this alert.
Azure AD Identity Protection detects and remediates suspicious sign-in attempts and raises the following alerts:
- Anomalous Token.
This alert is triggered because of a token’s unusual characteristics, such as its token lifetime or the token played from an unfamiliar location.
- Unfamiliar sign-in properties.
The attackers used multiple proxies or VPNs originating from various countries or regions unfamiliar to the target user.
- Unfamiliar sign-in properties for session cookies.
This alert flags anomalies in the token claims, token age, and other authentication attributes.
- Anonymous IP address.
This alert flags sign-in attempts from anonymous IP addresses (for example, Tor browser or anonymous VPN).
Defense:
Organizations can take a significant step toward reducing the risk of token theft by ensuring that they have full visibility of where and how their users are authenticating.
To access critical applications like Exchange Online or SharePoint, the device used should be known and managed by the organization. Compliance tools like Intune in combination with device based conditional access policies can help to keep devices up to date with patches, antivirus definitions, and EDR solutions.
For those devices that remain unmanaged, utilising session conditional access policies and other compensating controls to reduce the impact of token theft should be in consideration:
- Reducing the lifetime of the session increases the number of times a user is forced to re-authenticate but minimizes the length of time the session token is viable.
- Reducing the viable time of a token forces threat actors to increase the frequency of token theft attempts, which in turn provides defenders with additional chances at detection.
For highly privileged users, the implementation of phishing resistant MFA solutions such as FIDO2 security keys, Windows Hello for Business, or certificate-based authentication should be a priority.
Also, combining MFA with the following solutions gives a strong defense base for the blue team:
- Enable conditional access policies.
Conditional access policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.
- Invest in advanced anti-phishing solutions.
These solutions monitor and scan incoming emails and visited websites, which defends the users from the initial access attempts.
- Continuously monitor for suspicious or anomalous activities:
Check sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, use of anonymizer services).
Check unusual mailbox activities such as the creation of inbox rules with suspicious purposes or unusual amounts of mail item access events by untrusted IP addresses or devices.
Response:
If we have a true positive event of a stolen token, then the associated user should be confirmed as compromised, and defenders should follow certain steps to reduce the impact. Azure AD provides the capability to revoke a refresh token. Once a refresh token is revoked, it’s no longer valid. When the associated access token expires, the user will be prompted to re-authenticate.
It is important to note, that just resetting a user’s password is not enough, administrators should revoke all associated refresh tokens via Azure AD portal, Azure AD PowerShell or Microsoft Graph as well.
Also, refresh token revocation doesn’t have instant effect and doesn’t invalidate the access token immediately, which can still be valid for up to an hour. This gives the threat actor access till the access token expires.
Azure AD now supports the Continuous Access Evaluation (CAE) feature for Exchange, SharePoint, and Teams, allowing access tokens to be revoked in near real time. This helps to significantly reduce the up to one hour delay between refresh token revocation and access token expiry.
The blue team should check for these artifacts related to the compromised account:
- Mailbox rules:
Threat actors often create specific mailbox rules to forward or hide email. These can include rules to hide emails in folders that are not often used. For example, a threat actor may forward all emails containing the keyword ‘invoice’ to the Archive folder to hide them from the user or forward them to an external email address.
- Mailbox forwarding:
Email forwarding may be configured to send a copy of all email to an external email address. This allows the threat actor to silently retrieve a copy of every email the user receives.
- MFA modifications.
Threat actors might register additional authentication methods against compromised accounts for use with MFA, such as phone numbers or authenticator apps.
- New device enrollment:
Threat actors might add a device to an Azure AD tenant they control. This is an attempt to bypass conditional access rules with exclusions such as known devices.
- Data exfiltration:
Threat actors may use the inbuilt sharing functionality in SharePoint and OneDrive to share important or sensitive documents and organizational resources externally.
Conclusion:
It is important for organizations to establish maximum visibility of where and how their users are authenticated. Devices used to access critical applications, like Exchange Online or SharePoint, should be known and managed by the organization. Provisioning EDR agents for these devices and enrolling in Intune management solution helps to increase visibility and control as well.
High privileged users should be prioritized with the implementation of phishing resistant MFA solutions (FIDO2 security keys, Windows Hello for Business, or certificate-based authentication etc.).
Defenders should combine MFA with other solutions (conditional access policies, anti-phishing solutions, continuous access evaluation, continuous monitoring etc.) to have strong base defenses.