Addressing Data Exfiltration: Token Theft Talk - Microsoft Community Hub Stolen authentication artifacts – tokens and cookies – can be used to impersonate the victim and gain access to everything the victim had access to. Up until a few years ago, token theft was a rare attack and was most often exercised by corporate Red Teams. Why? Because it’s simpler to steal a password than a cookie. However, with multifactor authentication (MFA) becoming more prevalent, we’re seeing real-life attacks involving artifact theft and replay.   Before diving into details, it’s important to note that Microsoft recommends that the first line of defense against token theft is protecting your devices by deploying endpoint protections, device management, phishing-resistant MFA, and antimalware, as described in Token tactics: How to prevent, detect, and respond to cloud token theft | Microsoft Security Blog.   Now, let’s discuss types of authentication artifacts and what techniques are recommended for each type to minimize the impact of theft. All authentication artifacts can be roughly divided into two buckets:  

• Sign-in session artifacts, maintain single sign-on (SSO) and app state between the client and Entra ID.
• Apps session artifacts, grant data access to client applications.