Multi-factor authentication is one of the most effective security controls available. Turn it on and you block the vast majority of credential-based attacks. Microsoft’s own data consistently puts it at stopping over 99% of automated account compromise attempts.
So it’s uncomfortable to say this, but MFA isn’t enough on its own. There’s a class of attack that bypasses it completely — and it’s increasingly common in Australian business environments.
What actually happens when you log in
When you authenticate to a service — Microsoft 365, your accounting software, your CRM — your browser receives a session cookie (sometimes called a session token or bearer token). This cookie is the proof that you’ve already authenticated. For the rest of your session, the server accepts requests bearing that cookie without asking for your password or MFA code again.
That’s by design. You don’t want to re-authenticate every time you open a new email.
The problem is that the session cookie is also all an attacker needs to impersonate you. If they can steal it, they skip the login screen entirely. Your password is irrelevant. Your MFA code is irrelevant. The cookie is the key.
Two ways attackers steal session tokens
Infostealer malware is the more common method. Tools like Redline, Lumma, and Raccoon Stealer are sold as-a-service in criminal marketplaces and are specifically designed to harvest browser cookies, saved passwords, and session tokens from compromised devices. A single infected endpoint can expose session tokens for every service the user visited.
Delivery mechanisms include phishing emails, malicious downloads dressed up as software cracks or “free” tools, and, increasingly, compromised advertising networks. The malware runs briefly, exfiltrates its haul, and exits — often before endpoint protection has a chance to flag it.
Adversary-in-the-Middle (AiTM) phishing is more sophisticated. The attacker operates a transparent proxy between the victim and the legitimate login page. The victim sees a real-looking login, completes MFA as normal, and the attacker’s proxy captures the resulting session token in real time. Microsoft’s Entra ID sign-in logs will show a legitimate authentication event from the victim’s credentials — because it was legitimate. The session token that follows is what gets stolen.
Why this matters right now
These aren’t theoretical attacks. The Australian Cyber Security Centre (ACSC) has documented AiTM campaigns targeting Australian organisations specifically. Infostealer infections are a routine finding in incident response engagements. The barrier to running these attacks has dropped significantly — AiTM phishing kits are available for rent, and infostealer logs are sold in bulk.
What you can actually do
Require compliant, managed devices. Microsoft Entra ID Conditional Access can be configured to require that a device is enrolled in Intune and meets your compliance policy before granting a session. A stolen cookie replayed from an attacker’s machine fails this check because their device isn’t enrolled.
Use phishing-resistant MFA. FIDO2 hardware keys (like YubiKeys) and Windows Hello for Business are cryptographically bound to the specific site and device. They cannot be intercepted by a proxy. TOTP codes and push notifications can be — these are what AiTM attacks capture.
Enable Continuous Access Evaluation (CAE). CAE allows Entra ID to revoke sessions in near-real-time when risk signals change — for example, if a sign-in is detected from an impossible location. A stolen token used from the wrong location can be invalidated before it causes damage.
Harden your endpoints. Infostealer malware needs to execute on a device to harvest cookies. Microsoft Defender with Attack Surface Reduction rules, application control, and Intune compliance policies significantly reduce the risk of execution. Patch cadence matters too — many infostealers exploit known, unpatched vulnerabilities.
Run phishing simulations. AiTM phishing pages are sophisticated. Regular simulations help your team develop the instinct to verify unexpected login prompts through a separate channel before completing them.
MFA is still essential — don’t read this as an argument against it. But it works best as part of a layered defence. If you’re relying on MFA alone to protect your accounts, session token theft is a gap worth closing.
If you’d like to understand how your current setup holds up, the Safe to Scale Scorecard covers your identity and endpoint security posture — takes five minutes, and gives you a clear picture of where to focus next.