Preventing Token Theft and Phishing in Microsoft 365

Token theft and phishing attacks in Microsoft 365 are rapidly increasing, with over half of surveyed organizations experiencing a breach in the past year. 

Attackers are leveraging advanced techniques such as session token harvesting, bypassing traditional multi-factor authentication (MFA), and exploiting weaknesses in email filtering and domain authentication. Effective prevention requires a layered approach, including advanced email security, managed device policies, phishing-resistant authentication, and vigilant configuration of domain records and app permissions. 

How Microsoft 365 Defends Against Token Theft and Phishing

In this episode of the Demystifying Microsoft podcast, host Nathan Taylor (SVP, Global Microsoft Practice Leader at the Sourcepass MCOE) and guest Nick Ross (CEO, CloudCapsule) explore the evolving landscape of token theft and phishing in Microsoft 365, offering practical insights and examples to help organizations strengthen their security posture and prevent business email compromise.

Timestamped Key Moments

• 00:00 — Introduction and episode overview
• 03:31 — What is token theft and why is it rising?
• 06:21 — How attackers use session tokens for persistence and lateral movement
• 12:09 — Email filtering gaps and the impact of third-party MX filters
• 15:51 — Microsoft’s layered defense: Defender for Office 365, Safe Links, ZAP, and more
• 20:00 — DMARC, SPF, DKIM: Why domain authentication matters
• 21:30 — Conditional access policies and managed device strategies
• 29:58 — Passkeys, FIDO2, and Windows Hello for Business: Phishing-resistant authentication
• 38:36 — Post-breach mitigation: MFA registration and rogue app detection
• 47:49 — FAQ and audience questions

How does Token Theft Bypass MFA and Compromise Microsoft 365 Accounts?

Attackers are increasingly bypassing multi-factor authentication in Microsoft 365 by harvesting session tokens during legitimate-looking login flows. These tokens act as digital keys, granting access to accounts even after MFA is completed. Once inside, attackers can establish persistence, move laterally, and launch further attacks without triggering standard security alerts.

Tools like Evil Jinx make it possible to simulate authentic logins and replay stolen tokens, allowing attackers to evade detection and exploit weaknesses in account and email security.

Which Security Controls in Microsoft 365 Block Token Theft and Phishing?

Microsoft 365 offers several layers of defense:

• Defender for Office 365: Advanced anti-phishing, anti-spam, and Safe Links for URL detonation.
• Zero-hour auto purge (ZAP): Automatically removes malicious emails from inboxes across the organization.
• Conditional Access Policies: Require managed or compliant devices for login, disrupting token replay attacks.
• Phishing-resistant MFA: FIDO2 keys, Windows Hello for Business, and passkeys via Microsoft Authenticator.
• Trusted Locations and Global Secure Access: Restrict access based on network location, adding another layer of protection.

Why are Third-Party MX Filters a Weak Link?

Routing email through third-party MX filters (Proofpoint, Mimecast, etc.) can break Microsoft’s security chain, disrupting SPF, DKIM, and TLS validation. This reduces Microsoft’s ability to detect and block malicious emails, making it critical to evaluate whether API-based filtering is a better option for maintaining full security telemetry.

What Role do DMARC, SPF, and DKIM Play in Email Security?

Properly configured DMARC, SPF, and DKIM records are essential for preventing domain spoofing and phishing. Many organizations set DMARC to “none,” which is insufficient for blocking spoofed emails. Moving to “quarantine” or “reject” settings is recommended for stronger protection.

How can Organizations Disrupt the Attack Kill Chain?

• Managed Devices: Enforce sign-in from compliant or hybrid-joined devices.
• Phishing-resistant MFA: Deploy FIDO2 keys or passkeys for admins and high-risk users.
• Conditional Access: Require MFA for device registration and restrict access to trusted locations.
• Monitor for Rogue Apps: Regularly audit app registrations and permissions to prevent unauthorized API access.
• Automated Attack Disruption: Use E5 Security add-ons for real-time detection and response. 

Take the Next Step in Microsoft 365 Security with Sourcepass MCOE

Microsoft 365 security is evolving rapidly, and attackers are adapting just as quickly. The strategies discussed in this episode, including layered email protection, managed device policies, advanced authentication, and domain controls, are essential for reducing risk and maintaining business continuity. By implementing these practical steps and staying informed about emerging threats, organizations can build a resilient security posture that keeps data and operations protected.

For ongoing updates and practical insights on Microsoft 365 security, subscribe to the Demystifying Microsoft podcast.

If you have questions about how these security strategies could impact your organization or want to discuss options for deploying advanced protections, connect with a Sourcepass Center of Excellence for Microsoft expert today.