Preventing Token Theft and Phishing in Microsoft 365 | Sourcepass MCOE

Token theft and phishing attacks in Microsoft 365 are increasing fast. Over half of surveyed organizations reported a breach in the past year. 

Attackers are using techniques like session token harvesting to bypass multi-factor authentication (MFA) and exploit gaps in email filtering and domain authentication.

Preventing these attacks requires a layered approach that includes advanced email security, managed device policies, phishing-resistant authentication, and properly configured domain records and app permissions. 

How Microsoft 365 Defends Against Token Theft and Phishing

In this episode of the Demystifying Microsoft podcast, host Nathan Taylor (SVP, Global Microsoft Practice Leader at the Sourcepass MCOE) and guest Nick Ross (CEO, CloudCapsule) explore the evolving landscape of token theft and phishing in Microsoft 365, offering insights and examples to help organizations strengthen their security posture and prevent business email compromise.

Timestamped Key Moments

• 00:00 — Introduction and episode overview
• 03:31 — What is token theft and why is it rising?
• 06:21 — How attackers use session tokens for persistence and lateral movement
• 12:09 — Email filtering gaps and the impact of third-party MX filters
• 15:51 — Microsoft’s layered defense: Defender for Office 365, Safe Links, ZAP, and more
• 20:00 — DMARC, SPF, DKIM: Why domain authentication matters
• 21:30 — Conditional access policies and managed device strategies
• 29:58 — Passkeys, FIDO2, and Windows Hello for Business: Phishing-resistant authentication
• 38:36 — Post-breach mitigation: MFA registration and rogue app detection
• 47:49 — FAQ and audience questions

How does Token Theft Bypass MFA and Compromise Microsoft 365 Accounts?

Attackers are bypassing multi-factor authentication in Microsoft 365 by stealing session tokens during login flows, that look legitimate. These tokens act as digital keys. They give attackers access to accounts even after MFA is completed. Once inside, attackers can maintain access, move across accounts, and launch further attacks without triggering standard security alerts.

Tools like Evil Jinx simulate real logins and replay stolen tokens. This allows attackers to avoid detection and take advantage of gaps in account and email security.

Which Security Controls in Microsoft 365 Block Token Theft and Phishing?

Microsoft 365 offers several layers of defense:

• Defender for Office 365: Advanced anti-phishing, anti-spam, and Safe Links for URL detonation.
• Zero-hour auto purge (ZAP): Automatically removes malicious emails from inboxes across the organization.
• Conditional Access Policies: Require managed or compliant devices for login, disrupting token replay attacks.
• Phishing-resistant MFA: FIDO2 keys, Windows Hello for Business, and passkeys via Microsoft Authenticator.
• Trusted Locations and Global Secure Access: Restrict access based on network location, adding another layer of protection.

Why are Third-Party MX Filters a Weak Link?

Routing email through third-party MX filters like Proofpoint, Mimecast can break Microsoft’s security chain. It disrupts SPF, DKIM, and TLS validation, which reduces Microsoft’s ability to detect and block malicious emails. API-based filtering is often a better option because it keeps the full security telemetry intact.

What Role do DMARC, SPF, and DKIM Play in Email Security?

DMARC, SPF, and DKIM records verify who is sending email from your domain. When configured correctly, they prevent spoofing and phishing. Many organizations leave DMARC set to "none", which does not block spoofed email. 

Stronger settings include: 

• Quarantine sends suspicious messages to junk

• Reject blocks spoofed messages entirely 

Domain authentication issues are often not visible until something breaks or a spoofing attack occurs. Many organizations assume these records are configured correctly without ever validating them. 

Run a quick scan below to check your domain's authentication setup. 

If your results show gaps or weak enforcement, those misconfigurations can reduce how effectively Microsoft 365 detects and block phishing attempts. 

How can Organizations Disrupt the Attack Kill Chain?

• Managed Devices: Enforce sign-in from compliant or hybrid-joined devices.
• Phishing-resistant MFA: Deploy FIDO2 keys or passkeys for admins and high-risk users.
• Conditional Access: Require MFA for device registration and restrict access to trusted locations.
• Monitor for Rogue Apps: Regularly audit app registrations and permissions to prevent unauthorized API access.
• Automated Attack Disruption: Use E5 Security add-ons for real-time detection and response. 

Take the Next Step in Microsoft 365 Security with Sourcepass MCOE

Microsoft 365 security is evolving fast, and attackers are adapting just as quickly. Layered email protection, managed device policies, advanced authentication, and domain controls are all essential for reducing risk and maintaining business continuity. Staying informed about emerging threats and acting on these steps helps organizations build a stronger security posture that protects data and operations.

For ongoing updates and insights on Microsoft 365 security, subscribe to the Demystifying Microsoft podcast.

If you have questions about how these security strategies could impact your organization or want to discuss options for deploying advanced protections, connect with a Sourcepass Center of Excellence for Microsoft expert today.