Token theft is an attack where an adversary steals a valid authentication or session token — such as a JWT, OAuth access token, or session cookie — and uses it to impersonate the legitimate user without needing their password or passing MFA.
⚙️ How Does It Work?
Tokens can be stolen via: adversary-in-the-middle (AiTM) phishing proxies, XSS attacks, malware, compromised endpoints, or insecure token storage. The stolen token is replayed from the attacker's environment, bypassing all credential-based controls.
📍 Where Is It Used?
Any environment using token-based authentication — web apps, APIs, SSO systems, cloud platforms.
💡 Real-World Example
A sophisticated phishing campaign uses an AiTM proxy (Evilginx2) to steal Office 365 OAuth tokens in real time as employees authenticate. Even with MFA, the tokens are valid for 1 hour. Attackers access email and OneDrive within seconds. Defense: implement Conditional Access with device binding and continuous access evaluation.
🔗 Related Terms
Stay Ahead in Identity Security
Get weekly IAM, PAM & IGA insights via Identity Pulse.
Subscribe to Identity Pulse →