Token theft protection with Microsoft Entra, Intune, Defender XDR & Windows

Video transcript:

-Tokens must be protected to prevent attackers from stealing your identity and data. In single sign-on systems like SAML and OAuth, tokens are how a service knows who you are and what you can do. When you log in to your computer with your Entra ID account, you’ll receive a session token that you can use to access email, Teams, and other apps.

– Think of these tokens like a park pass that you get at the ticket booth that allows you to go to a theme park and ride all the rides. Anyone with that pass can use it. This means that if someone steals the pass from you after you receive it, they will have the same access as you. Conceptually, the idea of ​​waiting for a good user to receive a pass and then stealing it to gain access is what we call ID token theft.

– Most attacks are still credential attacks and mainly target passwords, so multi-factor authentication using password keys is absolutely necessary. But as more people use MFA, attackers are increasingly turning to credential bypass attacks like token theft. Overall, 147,000 token theft attacks were detected last year, a 111% increase over the previous year, and this growth is expected to continue.

-So today I will explain a little more about tokens and how token theft works. And most importantly, we’ll show you how Microsoft can help protect you from these attacks. We’ll show you new features like Credential Guard on Windows enforced by device policies in Intune, token protection enforcement in Microsoft Entra, and token theft detection in Microsoft Sentinel and Defender XDR.

-Now, as we work together to move from weak passwords to strong, anti-phishing multi-factor authentication like passkeys, attackers will have to wait for good users to get their tokens and then steal them from the device to get their data. When you log in to a site or service using your security credentials, including multi-factor authentication, your identity provider issues a token.

-This token describes who you are and what you can do, and you present it to access applications and services. A token is something that your logged in browser, app, or mobile device management service stores in the background so that you don’t have to re-enter your credentials each time you navigate to a resource.

-However, if an attacker accesses these tokens and makes copies of them, they can access resources in the same way without needing a username, password, or a successful MFA challenge. Let’s go back to the theme park analogy. If your pass doesn’t have your name or photo printed on it, or if it’s stolen, someone can easily use it and enter the park to enjoy the rides you paid for. Likewise, if you do not associate the token with the device, an attacker with access to the resource can steal the token and replay it as long as the token is valid.

– What about that amusement park wall? It’s like a security perimeter for your company, and that vehicle is your data. So, let’s make this a reality through an example that we have seen a lot recently. First, the user logs into a service, such as a cloud storage account, using multifactor authentication and is issued a session token.

– Clicking on a malicious link installs malicious code in that user’s context and copies the session token and sends it to the attacker. Now the attacker uses the token to access the cloud storage and download confidential documents or whatever they want.

-That’s just one approach, there are other ways to steal tokens, such as copying tokens from network proxies or routers, or extracting them from server logs, so token protection options are needed to prevent these types of attacks. Likewise, the first thing we want to do is link the park pass to the purchaser by printing their photo and name on the pass. To achieve this, we use token protection, also known as token binding. Currently in preview, it is a key part of Microsoft Entra’s efforts to reduce token theft attacks.

– This is a new method that requires apps and services to be aware of tokens to bind to the device, and currently works with Microsoft Intune enrollment, Outlook, SharePoint, and Microsoft Teams. This ensures that the token will only work on the specific device it was issued on and not on others. You can now create a policy that requires users to only use apps that support token protection.

-Let me show you how. Conditional access policies allow you to require a bound token to access a resource. Let’s click on this policy to show you how it’s set up. First, on the policy itself, you’ll see that Office 365 Exchange and SharePoint Online are selected under Target Resources.

-Next I configured Windows as the platform in Device Platform under Conditions. Token Protection is currently available on Windows clients and will expand to macOS, iOS, Android, and other clients over the next year. Configure the client app, this time to use mobile apps and desktop clients, and under Access Control, under Session, select Require token protection for login sessions. This session control associates the token with the device it was issued to.

-You can then enable and create the policy and the session token will be bound to the device, preventing attackers from using stolen tokens on devices where the token was not explicitly issued. Token Protection is currently the strongest defense against token theft, but is not supported by all applications or platforms. Therefore, using a defense-in-depth approach provides different countermeasures that can be used to reduce the risk and impact of token theft attacks.

-First, it reduces the risk of successful token theft by requiring managed and compliant devices. For Windows, this means that Local Security Authority Protection is enabled to prevent untrusted processes from accessing tokens, and Credential Guard is required to secure tokens for on-premises and hybrid joined devices. This is the default setting for new Windows 11 devices, which have higher security standards.

– You can enforce this using Windows policies, as shown in Microsoft Intune for Windows 10 and later. You can also use device compliance checks in Conditional Access to verify that these settings are applied before granting the requesting device access to a resource. Taken together, these rules reduce the chances of tokens being stolen from your device. That said, attackers are smart and not all endpoints can support these methods. So, as part of your defense-in-depth, let’s look at how you can detect and block these attacks when they occur.

– First, Microsoft Entra ID has built-in token theft detection and automatically assesses user and sign-in risk when token theft is suspected. Therefore, by configuring risk-based access policies, you can block or revoke tokens if token theft is suspected.

-Traditional token evaluation is performed on refresh, but with continuous access evaluation that is automatically activated whenever your application supports it, Microsoft Entra ID allows you to take immediate action and re-authenticate in real time. Additionally, if you go to Session Control for this policy, there is an option to strictly enforce the location policy so that the token can only be used on the subnet where it was issued.

-And with Microsoft Entra Internet Access, you can enforce compliance network checks using conditional access policies. When you configure these controls, the policy blocks all access attempts unless the user connects from a Microsoft Entra Internet Access-enabled device and a tenant-specific network. This prevents attackers from using the token outside of the Microsoft Entra Internet Access environment.

-Finally, Microsoft Entra ID Protection, fully integrated with Microsoft Defender, allows you to quickly detect and deter potential token theft-based incidents and easily connect Microsoft Entra ID signals to Microsoft Sentinel or Microsoft Entra ID signals. Preferred SIEM.

-Token theft is an increasingly serious threat to your identity and data security, and Microsoft Entra can help prevent replay attacks by protecting your tokens with Windows, Microsoft Intune, and Microsoft Defender XDR.

-Check out aka.ms/TokenTheftDefense to learn more and get started, and stay tuned to Microsoft Mechanics for further updates. Subscribe if you haven’t already. Thank you for watching.