A token theft in Microsoft 365 is no longer a theoretical scenario, it's an active technique that allows an attacker to “become” the user, even if you use MFA. If an attacker manages to copy those tokens (for example, using AITM/man-in-the-middle phishing that clones the login page), they can reuse them to log in as that user without having to reactivate the MFA.

Conditional Access Continuous Access Evaluations (CAE) help to “close the door” in near real time when a token has been stolen through phishing or other techniques, dramatically reducing the window in which an attacker can move within Microsoft 365.

What is token theft and why should you care?

In a Microsoft 365 environment, when a user is authenticated (password + MFA), the platform issues access tokens that represent their session in front of services such as Exchange Online, SharePoint, Teams or Graph. If an attacker manages to copy those tokens, they can reuse them to log in as that user without having to re-authenticate with MFA.

This approach has two dangerous effects for any organization:

• The password is no longer the main problem: the attacker is already operating with a valid session.

• Classic reactive actions (changing password, forcing MFA, revoking sessions “by hand”) may not immediately cut all stolen tokens if there are no continuous reevaluation mechanisms.

Continuous Access Evaluation: trimming the operating window

Continuous Access Evaluation is a Microsoft Entra ID capability that allows tokens to be reevaluated in near real time when certain security or session conditions change. Instead of a token remaining valid until its fixed expiration, CAE causes certain events to trigger a “revision” of the token and, if appropriate, its immediate invalidation.

Among the events that can cause this reevaluation are: account disabling, changing the password, raising the level of risk, modifying Conditional Access policies, or changes of location that violate defined rules. When it comes to token theft, this means that:

• If you detect that an identity is compromised and mark it as such, the associated tokens can become invalid almost instantly, reducing the lifespan of the attacker.

• If the attacker tries to reuse a token from an unexpected IP or country, combining CAE with location policies can force a new challenge or block the session.

Conditional Access and token protection: raising the level of control

Conditional Access it is still the framework in which you define “who can access, from where, how and to what” in your tenant. In the face of the risk of token theft, there are three lines of configuration that especially help:

• Specific policies for high-value accounts (VIP, finance, admins)

• Risk-based policies

• Token protection/token binding

In practice, this means that a stolen token is much more likely to be useless if it is not used under the expected conditions (device, location, risk).

Defender for Office 365: Reducing the likelihood of token theft

While CAE and Conditional Access reduce the impact once the token is issued, Defender for Office 365 works to prevent the attacker from stealing it. Its key capabilities for this scenario include:

• Advanced anti-phishing and impersonation policies to detect and block emails that attempt to impersonate trusted users, managers or providers, reducing the effectiveness of attackers.

• Safe Links to rewrite and analyze URLs in emails and documents, dynamically blocking malicious sites that mimic the Microsoft 365 login portal.

• Safe Attachments to execute suspicious attachments in isolated environments before delivering them to the user, cutting payloads that often accompany identity theft campaigns.

With these well-configured capabilities, the likelihood that a user will enter credentials on an AITM page decreases considerably.

How the Neodefender team can help you

Implement CAE correctly, advanced Conditional Access and Defender for Office 365 it's not just a matter of activating options: it requires understanding your business model, your access flows and your specific risks. The Neodefender team can accompany you throughout the cycle:

• Evaluate your current stance against token theft, identifying gaps in configuration, visibility and response processes.

• Design and deploy Conditional Access policies aligned with CAE and your operational requirements, minimizing impact on the end user without sacrificing security.

• Plan, configure and adjust Defender for Office 365 (anti-phishing, Safe Links, Safe Attachments, attack simulations) so that your users, emails and sessions are better protected.

With a well-designed strategy and expert support, your organization can go from relying only on passwords and MFA to actively controlling the lifecycle of sessions, reducing both the likelihood of token theft and the impact if it happens. Schedule a call with the Neodefender team and discover how we can help you implement best practices adapted to your needs.

‍