Everything MSPs Should Know about Token Hijacking

Token hijacking has become a popular method for attackers to commit business email compromise (BEC) — a type of cybercrime that has resulted in over $2.9 billion in reported losses in 2023, according to the FBI.

To make matters worse, token hijacking can go undetected, as attackers bypass authentication without raising red flags in your logs. 

Let’s review how this hack works and, more importantly, how to prevent it from happening to your customers.

What Is Token Hijacking?

Token hijacking occurs when an unauthorized user accesses an account by stealing the session token. 

A token is a secure, unique identifier used to authenticate a user’s identity and maintain session integrity during interactions with a system or application. By stealing this token, the attacker can bypass both Conditional Access and multi-factor authentication (MFA) to gain direct access to the account.

Session token hijacks are sometimes confused with session hijacks. Here’s a breakdown of the main differences:

How a Session Token Hijack Happens

A session token hack involves these three steps:

1. Sending an Initial Phishing Email

The attack typically begins with a carefully crafted phishing email that mimics legitimate communications from colleagues or vendors. These messages contain links to fake login pages that appear convincingly real. 

For example, an attacker sends an email that looks like a legitimate security alert from the IT department stating that unusual activity has been detected on the user’s account and urging them to verify their identity by clicking on a provided link.

Learn more about phishing as a service.

2. Intercepting of the Access Token 

Once a user interacts with a phishing email, the attacker captures their token in three steps:

• Authentication: The victim visits the counterfeit sign-in screen, enters their credentials and completes a multi-factor authentication (MFA) prompt.
• Session token capture: Once the user successfully logs in, the attacker intercepts the authentication data using a server to harvest the session token. 
• Token transfer: The attacker imports the stolen session token into their browser using a cookie editor or similar tool.

This interception process is quick and inexpensive for bad actors to execute. Setting up the necessary server and tools often takes less than an hour, making it accessible for even less sophisticated attackers to hijack session tokens.

3. Accessing the Account

With a session token harvested, the attacker can import it into their browser and take over the victim’s session in order to:

• Bypass MFA: The attacker bypasses further MFA prompts since the session token is already authenticated.
• Access sensitive information: The attacker can access emails, files and other sensitive information as if they were the legitimate user.
• Remain undetected: The attack is stealthy and can go unnoticed because the activity appears normal in the logs, with no new login attempts from unrecognized devices.

Watch our webinar on understanding and preventing session token hijacking.

The Financial Impact of Session Token Hijacks 

Session token hijacks can result in data breaches and BEC attacks, where attackers use unauthorized access to user accounts to encourage fraudulent financial transactions via email, often by impersonating executives. 

Additionally, attackers might gain access to sensitive customer data, leading to identity theft and subsequent legal liabilities. IBM reports that the global average cost of data breaches in 2023 was $4.45 million, a 15% increase over three years.

On top of the direct costs (e.g. incident response, remediation and customer notification), there are indirect costs that include:

• Business disruption
• Regulatory penalties
• Reputational damage
• Increased cybersecurity insurance premiums

How to Prevent Session Token Hijacking

It’s challenging for MSPs to prevent token hijacks due to the human element. Client education is key, but there are other tactics MSPs can use to identify incidents of session token hijacking early to mitigate potential damage or data loss.

4. Client Education

Educate clients on the importance of recognizing phishing attempts. Regular security awareness training sessions should teach users:

• How to spot suspicious emails
• The dangers of clicking on unknown links 
• Why to use multi-factor authentication (MFA) 
• How to recognize fake SaaS Application login screens

Encourage teams to verify the authenticity of unexpected emails and be cautious about entering credentials or sensitive information.

5. Implement an Access Token Expiration Policy 

The implementation of a robust access token expiration policy will also help mitigate the potential of a successful session token hijacking. By expiring SaaS application access tokens at specific intervals, you reduce the window of opportunity for attackers to exploit stolen tokens. We recommend setting the expiration period to every 10 to 12 hours.

Additionally, whenever possible, leverage token binding techniques. Token binding ties an access token to a specific device, ensuring that the token is only valid when used from that device. This adds an extra layer of security, making it significantly harder for attackers to reuse stolen tokens from a different device.

6. Automated Detection and Remediation

MSPs can identify potential compromises early by monitoring login locations, unusual activity patterns and changes to email forwarding rules. Allowing automated remediation to take direct action on accounts that indicate compromise via token harvesting enables MSPs to quickly spot compromises and take action, including:

• Automatically revoke access tokens
• Disable sign in access
• Change account passwords
• Suspend accounts

Protect Your Customers from Token Hijacking with SaaS Alerts

With SaaS Alerts as part of your MSP software stack, you can detect and remediate any unusual activity automatically, ensuring your customers’ data stays secure at all times. Our SaaS security platform helps prevent losses from token hijacking compromises by::

• Automatically revoking session tokens, blocking unauthorized access and resetting passwords when an attack is detected
• Correlating device activity like login patterns with account activity, which raises the probability of detecting compromises 
• Applying hardening settings across multiple tenants to ensure robust security configurations

Start your free trial and discover how SaaS Alerts helps you prevent session token hacks.