title: Microsoft Entra ID Session Token Theft and Replay (THREAT-EntraID-TokenTheft)
id: df00tech-threat-entraid-tokentheft
status: experimental
description: "Session token theft (also called token replay or pass-the-cookie) is one of the most prevalent identity attacks targeting Microsoft 365 and Entra ID in 2025-2026. Adversaries use adversary-in-the-middle (AiTM) proxy frameworks (Evilginx2, Modlishka, Muraena, Tycoon 2FA, EvilProxy) to intercept valid session cookies from M365 sign-in flows, then replay those cookies to authenticate as the victim without needing their credentials or MFA code. The attack works because Microsoft's authentication cookies are bound to the browser session but not to the originating IP — replaying the cookie from a different IP is detected by Entra ID's risk engine but is not blocked by default. Scattered Spider and Storm-0539 are documented using this technique at scale against SMBs and mid-market organisations, primarily targeting financial fraud (payment diversion, payroll fraud) and IT admin compromise to then facilitate SIM swapping."
references:
  - https://attack.mitre.org/techniques/THREAT-EntraID-TokenTheft/
  - https://df00tech.com/detections/THREAT-EntraID-TokenTheft
author: df00tech
date: 2026/04/22
tags:
  - attack.threat-entraid-tokentheft
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Users legitimately travelling who sign in from airports, hotels, or multiple mobile data providers within a short window"
  - Shared accounts used by multiple team members from different locations (should be eliminated as an SMB practice)
  - VPN use that changes apparent location between sign-ins (user connects to VPN on second sign-in but not first)
  - Users with MFA remembered on trusted devices who then sign in from a new device without MFA prompt (MFA remembered state is a Conditional Access configuration)
level: critical