Session and token theft

what it is

When a login completes, the service issues a session token, a cookie or credential the browser presents on every subsequent request so the user is not re-challenged each click. The token embodies the whole finished authentication, second factor included.

Token theft takes that artifact instead of the password. Two routes dominate. Adversary-in-the-middle (AiTM) phishing puts a relay page between the user and the real login: the victim signs in genuinely, MFA prompt and all, and the kit captures the resulting session cookie. Infostealer malware takes the other path, harvesting tokens already sitting in the browser. Either way, the attacker replays the token and arrives authenticated. Nothing was cracked, and "bypass" is the accurate word: the kit relays a legitimate login and steals its output.

why it accumulates

Token theft scaled because MFA worked. As second factors closed the stolen-password route, the criminal ecosystem industrialized the next layer: phishing kits like Tycoon2FA, which Microsoft documented in 2026 as a leading AiTM operation run at scale, sell the relay as a service, and infostealer logs are bulk commodities. Microsoft's Digital Defense Report 2024 estimated around 39,000 token theft incidents per day and a 146% year-over-year rise in AiTM phishing, and IBM X-Force measured an 84% yearly jump in emails delivering infostealers.

Long session lifetimes make every stolen token more valuable, and they are long by default because re-authentication annoys users.

what it costs you

A replayed token defeats the control your security case leans on. The credential numbers frame the stakes: stolen credentials figured in 36% of breaches (Verizon, 2026), and half of ransomware victims had credentials leak in the 95 days before the attack. Tokens are credentials in their most finished form: no password to crack, no MFA to trigger, often no alert at all, because the activity rides an existing valid session.

For a mid-market company the practical consequence is mailbox and SaaS takeover that looks like the user: payment fraud run from the real finance mailbox, OAuth grants approved by the "user" to persist access, data pulled at session speed.

what works

The control that changes the economics is phishing-resistant authentication. FIDO2 keys and passkeys bind the login to the genuine domain, so a relay page captures nothing usable; the AiTM kit simply has nothing to steal. The accounts worth moving first are the ones a stolen session monetizes fastest, admins and finance, with coverage widening from there.

Token value is the other lever. Tighter session lifetimes and re-authentication for sensitive actions cap the replay window, and conditional access that binds sessions to device and location makes a replayed token conspicuous rather than invisible. On the infostealer side, the exposure is tokens sitting in browsers on unmanaged machines, so device requirements for company sessions and basic browser sign-in hygiene shrink the harvest directly.

Revocation deserves rehearsal before it's needed. The console action that kills a user's sessions everywhere is worth knowing today rather than mid-incident, because disabling the account without revoking its sessions leaves the attacker logged in on the token that still works.

A stolen session that persists leaves fingerprints in the directory: new OAuth grants, freshly created mail-forwarding rules, changed MFA methods. Each is how a one-time theft becomes standing access, and each is visible to anyone who looks. Real-time detection of a theft in progress belongs to ITDR tooling, but the posture work above decides something detection never can: how much of the estate a single stolen session is able to reach.