Beyond MFA: A Defender's Guide to Token Theft and AiTM

For years, multi-factor authentication was the main defense for identity protection. But in 2025 and 2026, attackers found scalable ways to bypass it. Now, adversary-in-the-middle phishing kits and token replay attacks are common in major threat reports. These techniques have become so widespread that password-plus-OTP MFA no longer stops skilled attackers.

This 50-minute session will show how token-theft attacks really work. It's designed for defenders who know the headlines but want to understand the details. We'll begin with a quick overview of OAuth tokens (access, refresh, ID, and primary refresh tokens) to set the stage. Next, we'll break down the AiTM phishing pattern using popular toolkits, see how a stolen refresh token can extend access beyond the original session, and look at Storm-0558 as a case study in large-scale token abuse. The session is meant to illustrate key ideas, not cover every attack. The goal is to help you build a defender's mental model.

We'll finish by looking at controls that really make a difference: phishing-resistant authentication like FIDO2, passkeys, and certificate-based methods, as well as Continuous Access Evaluation, Token Protection, and Conditional Access patterns that connect them. You’ll leave with a better idea of where your authentication setup is strong, where it might be weak, and what questions to discuss with your identity team.

Who Should Attend

• Security architects and engineers responsible for Conditional Access and authentication design in Microsoft Entra environments
• SOC analysts and incident responders who investigate identity-related intrusions
• Identity administrators rolling out passkeys, FIDO2, or Conditional Access policy changes
• Security managers who need a better answer to "are we still covered by MFA?" than the current narrative offers 

Learning Objectives

• Describe, at a high level, how access, refresh, and primary refresh tokens differ, and why each one matters to attackers
• Recognize the AiTM phishing pattern, and understand the structural reason password-plus-OTP MFA doesn't defeat it
• Use Storm-0558 as a reference point for the token-issuance class of attack
• Name the control surfaces; phishing-resistant authentication, Continuous Access Evaluation, Token Protection, Conditional Access, that meaningfully change the picture
• Walk away with two or three concrete questions to bring back to your identity team about your tenant's current posture

This session supports concepts from SEC559: Cloud and Hybrid Identity Security. To learn more, explore upcoming course runs, and access your free course preview, visit www.sans.org/sec559