Notifications
Clear all
Topic starter
08/06/2026 4:03 pm
TL;DR: Microsoft warned that attackers are bypassing MFA by stealing tokens and cookies through adversary-in-the-middle and pass-the-cookie techniques, then using them to access high-privilege accounts and cloud resources, according to Axiad’s summary of the warning. The core problem is that session trust, not just authentication strength, now determines whether identity controls hold.
NHIMG editorial — based on content published by Axiad: Microsoft's warning about how hackers are bypassing MFA
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should security teams reduce the risk of MFA bypass attacks?
A: Security teams should combine phishing-resistant MFA, device compliance checks, and shorter session lifetimes so a stolen token has less value.
Q: Why do unmanaged devices increase the risk of token theft?
A: Unmanaged devices often lack the security controls needed to stop cookie theft, malware, or session replay.
Q: What breaks when organisations rely on MFA alone?
A: MFA alone breaks down when attackers capture the authenticated token or cookie after login and reuse it elsewhere.
Practitioner guidance
- Deploy phishing-resistant MFA for privileged access Require stronger authentication methods for administrators and high-risk business applications, especially where token replay would expose tenant-level control.
- Reduce the value of stolen sessions Shorten session lifetime, enforce reauthentication for sensitive operations, and block access from unmanaged devices when corporate policy allows.
- Separate privileged identities from daily-use accounts Move Global Admins, Billing Admins, and Authentication Admins into dedicated cloud-only identities and watch for role changes, tenant modifications, and suspicious token activity.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- Microsoft-aligned mitigation steps for reducing MFA bypass exposure across managed and unmanaged endpoints
- Specific guidance on revoking refresh tokens and forcing reauthentication after token theft
- Practical examples of conditional access and device-based controls for remote workers
- Detection and alerting details for high-risk tenant modifications and suspicious token events
👉 Read Axiad's analysis of Microsoft's warning on MFA bypass attacks →
MFA bypass attacks and token theft: are your controls keeping up?
Explore further
08/06/2026 5:27 pm
Session trust is now the real identity boundary. MFA proves authentication happened, but it does not guarantee that the session remains trustworthy after the token is issued. That makes token theft, cookie replay, and unmanaged-device exposure governance problems, not just endpoint problems. Practitioners should treat session state as an identity asset with its own control requirements.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who is accountable when a stolen session leads to tenant compromise?
A: Accountability usually spans IAM, endpoint security, and application owners because the failure crosses authentication, device trust, and privilege design. A stolen session that reaches tenant control is not a single-team issue. It shows that governance must cover session duration, privileged identity separation, and detection of abnormal token use.
👉 Read our full editorial: MFA bypass attacks expose the limits of session-based trust
