Response to Phished 365 Users and Prevention Methods for Token Theft from Phishing in Microsoft Office 365 Accounts.

Response to Phished 365 Users and Prevention Methods for Token Theft from Phishing in Microsoft Office 365 Accounts.

Phishing with token theft (fake MS logon with security code capture) has been a common attack to gain access to accounts for several years.

Token theft is when an adversary uses an 'man in the middle' system to grab a token Microsoft sends back to the user and emulate it on their own system.  It is especially common from by attackers intending to use wire fraud to intercept funds, targeting people involved real estate and corporate banking transactions.

Initial response when a user has been phished (this is only a starting point):
  1. Immediately change the user's password.
  2. Immediately click revoke all sessions in Entra ID on the user's profile. (Password alone does not boot the attacker)
  3. Review the user's Applications listed in Entra ID, these can be used for continuous access or data export.
  4. If the phished account has extended administrative access, including but not limited to Global Admin, you must perform a top-to-bottom password reset, revoke all sessions, and applications review, and verify any anomalous login locations, this is where senior level experienced Microsoft 365 admins must be involved.

Prevention Methods:
  1. Yubikey MFA on every login, shortened timeout for token expiration.
  2. [Entra ID P1 license required] Create conditional access policies restricting users to only log in from Azure/Entra Joined Devices.
  3. [Entra ID P2 license required] Create a conditional access policy where Any Medium or High Risk sign-in is blocked.
  1. End User Education

Note: This is an early draft version, check back for additional updates in the future