Problem Statement: The Rising Risk of Session Token Theft

Session token theft is an increasingly exploited attack vector, allowing adversaries to bypass authentication mechanisms and gain unauthorized access to user sessions. Unlike traditional credential theft, where attackers need usernames and passwords, session hijacking enables persistence without triggering multi-factor authentication (MFA) or other security controls.

With the expansion of cloud services, federated authentication, and Single Sign-On (SSO) solutions, session tokens have become highly valuable targets. A particularly concerning aspect is the targeting of Primary Refresh Tokens (PRTs)[1], which provide broader and longer-lived access, making them especially attractive to attackers.

This shift in attack methodology mirrors the well-known Golden Ticket attack in Active Directory. Just as Golden Tickets grant attackers indefinite control over an on-premises domain, stolen PRTs can provide persistent access to cloud resources. Threat actors are adapting their methods from Kerberos ticket attacks to cloud token theft, treating PRTs as a new form of Golden Ticket for cloud environments.

 

How is Session Token Theft Happening?

Attackers employ various methods to steal session tokens, including:

  • Phishing: Attackers craft deceptive communications, such as emails or messages, to trick users into revealing their credentials on fake login pages. Advanced phishing kits can capture login credentials, two-factor authentication tokens, and session cookies in real-time, allowing attackers to hijack sessions immediately.[2]
  • Session Fixation: Attackers set a user’s session ID to one known to them, often by tricking the user into authenticating with a predetermined session ID. Once the user logs in, the attacker uses the same session ID to gain unauthorized access.[3]
  • Malware and Infostealers – Keyloggers, remote access trojans (RATs), and advanced infostealers can extract tokens from memory or browser storage.[4]
  • Man-in-the-Middle (MitM) Attacks – Session tokens intercepted in transit via compromised networks or proxy attacks.
  • Session Replay Attacks – Attackers reuse stolen tokens to impersonate users and access resources without needing credentials. [5]
  • Browser Exploitation – Malicious extensions, local storage scraping, and API exploitation allow adversaries to extract stored tokens.[6]
  • Cloud-Based Attack Vectors – Targeting federated authentication systems and cloud-hosted applications that rely on OAuth, OpenID Connect, or SAML session persistence.[7]
  • Compromise of Primary Refresh Tokens (PRTs) – PRTs, used in SSO implementations like Azure AD, are particularly valuable as they allow seamless access to multiple cloud and enterprise applications.[8]

Like Golden Ticket attacks, where an attacker forges a Kerberos Ticket Granting Ticket (TGT) to gain unlimited access to AD resources, PRT theft enables attackers to bypass authentication controls in cloud environments. Once a PRT is stolen, it can be reused to request new access tokens, maintaining unauthorized access until detected and revoked.

 

Mitigation Strategies: How to Stop Session Token Theft

To mitigate the risks associated with session token theft, organizations should implement a multi-layered approach using the Zero Trust Security model:

  1. Strengthen Authentication Mechanisms across environments

  • Enforce least privilege & Just-in-Time (JIT) access – Tokens should only provide the minimal access required, with expiration policies to prevent long-lived access.
  • Enforce adaptive MFA policies that require re-authentication for high-risk actions.
  • Implement phishing resistant hardware-backed authentication (FIDO2/WebAuthn) to eliminate reliance on session persistence.

IMAGE SOURCE: Microsoft

  • Restrict legacy authentication methods that lack modern security controls

 

  1. Token Security Best Practices

  • Adopt short-lived session tokens and require periodic re-authentication.
  • Implement token binding to cryptographically tie tokens to a specific device.
  • Implement refresh token rotation to invalidate stolen tokens quickly.
  • Continuously validate session tokens – Use risk-based conditional access policies to reevaluate session trust dynamically. 
  • Reduce token lifespan & enforce strict scopes – Set short expiration times on tokens and ensure scoped access to limit potential abuse.
     

  1. Securing Applications Using Tokens

  • Secure token storage – Avoid storing tokens in browser local/session storage and instead use secure HTTP-only cookies.
  • Enforce Proof-of-Possession (PoP) tokens – Ensure tokens require a cryptographic challenge to prevent unauthorized use.
  • Restrict token reuse – Implement refresh token rotation to ensure stolen tokens cannot be reused indefinitely.
     

  1. Network and Cloud Security Controls

  • Implement Zero Trust Network Access (ZTNA) to prevent unauthorized session replay.
  • Monitor for abnormal session activity, such as logins from unusual locations or devices.
  • Dynamically revoke compromised sessions based on risk-based access policies and security signals.
  • Implement Mutual TLS (mTLS) for API communication – Ensure that only authorized clients can communicate with APIs.
  • Apply fin-grained access control – Use Attribute-Based Access Control (ABAC) to enforce least privilege policies at the API level.
     

  1. Primary Refresh Token (PRT) Protection

  • PRT Binding to Devices – A PRT is cryptographically tied to the user’s device at first sign-in. Microsoft Entra ID verifies this device binding before issuing a PRT.
  • TPM-Based Security – PRTs are protected by a Trust Platform Module (TPM) to prevent theft. The TPM secures the device key and session key, ensuring they cannot be extracted or reused elsewhere.
  • Session Key-Based Protection – Every PRT renewal request is signed using a TPM-protected session key, ensuring only the legitimate device can request new tokens.
  • Require Device Identity verification for PRT usage to prevent unauthorized reuse.
  • Implement Continuous Access Evaluation (CAE) to revoke stolen PRTs in real-time.
  • Require Hybrid Azure AD Join to restrict PRT issuance to trusted, managed devices.
  • Leverage hardware-backed security modules, TPMs, for secure PRT storage.
  • Enforce Conditional Access policies on PRTs to block compromised or high-risk sessions.
     

  1. Endpoint and Browser Protection

  • Enforce strict browser policies to limit access to session storage.
  • Deploy Endpoint Detection and Response (EDR) to detect infostealers targeting session tokens.
  • Consider using containerized browsers for accessing sensitive applications.
     

  1. Development Best Practices for Secure Token Handling

  • Implement secure OAuth 2.0 & OpenID Connect flows – Always use authorization codes with PKCE to prevent interception.
  • Use confidential clients for secure token exchanges – Public clients (mobile/web apps) should never store client secrets.
  • Prevent token leakage – Never expose tokens in application logs, URL parameters, or referrer headers.[9]

Just as security teams learned to mitigate Golden Ticket attacks by frequently rotating the krbtgt password and monitoring ticket usage, the same principle applies to PRTs. Organizations must proactively rotate, bind, and monitor token usage to prevent persistent cloud-based attacks.

 

How to Implement These Defenses

In this section we’ll attempt to address how to implement these controls in Cloud Environments and on premises server configurations.

Microsoft Entra ID (Azure AD)

  • Plan a Conditional Access deployment – Microsoft Entra Conditional Access evaluates “signals” such as user identity, device status, and location to intelligently enforce security policies while maintaining seamless access to resources.[10] Following Zero Trust principles as a guide, assess the recommended policies as well as application, device, and MFA policies for applicability to your organization. The planning article states that Conditional Access policies are powerful, and Microsoft recommends excluding the following accounts from your policies; Emergency access, or break-glass accounts, Service accounts, and Service principals. Organizations should:
    • Define Risk-Based Access Policies– Establish policies that evaluate sign-in risks, such as location-based access restrictions, device health status, and impossible travel detections.
    • Enforce MFA Requirements – Require multi-factor authentication for high-risk sign-ins and privileged account access.
    • Restrict Legacy Authentication – Block authentication requests from outdated protocols that do not support modern security measures.
    • Implement Session Controls – Set token expiration limits and require reauthentication for sensitive operations.
    • Enable Adaptive Access – Dynamically adjust access permissions based on user behavior and device trust status.
    • Integrate with Continuous Access Evaluation (CAE) – Ensure that session revocation happens in real time when a risk is detected.
  • Require Token Protection – Configure Conditional Access policies to enforce token binding, ensuring that tokens cannot be used outside of their originally issued device.[11] Microsoft states that token protection works by cryptographically binding tokens to the device’s TPM or Secure Enclave, making it significantly harder for attackers to reuse stolen tokens on unauthorized systems. Organizations should:
    • Enable Token Protection in Conditional Access – Configure policies to enforce token-bound authentication for high-risk applications.
    • Leverage TPM-Based Key Protection – Ensure that session and refresh tokens are stored in TPM-backed secure storage, preventing exfiltration.
    • Apply Proof-of-Possession (PoP) Tokens – Require applications and APIs to validate token-bound signatures, ensuring the token is presented from the expected device.
    • Monitor Token Usage for Anomalies – Detect attempts to replay stolen tokens from unauthorized locations or devices and revoke access dynamically.
  •  

  • Enable Continuous Access Evaluation (CAE)[12] – Revoke compromised sessions in real time by continuously monitoring token usage and enforcing policy-based session controls. CAE ensures that access decisions are updated dynamically without requiring a user to sign out and back in. Organizations should:
    • Implement real-time session enforcement – Automatically revoke access if risk conditions change, such as an account being disabled, password reset, or anomalous behavior detected.
    • Integrate CAE with risk-based policies – Ensure CAE policies align with Conditional Access rules, evaluating device health, sign-in risk, and location anomalies.
    • Leverage continuous token validation – Require applications to revalidate session tokens at frequent intervals, reducing exposure time for compromised credentials.
    • Monitor session activity for anomalies – Detect suspicious behaviors, such as sudden location changes or excessive failed authentication attempts and trigger automated session revocation.

 

Google Cloud Platform (GCP)

  • Enforce Token Binding – Use Google Identity-Aware Proxy (IAP) to enforce session binding, ensuring that session tokens cannot be used outside of the originally authenticated device. This prevents token replay attacks and enhances Zero Trust security. Organizations should:[13]
    • Enable IAP Session Binding – Configure IAP to enforce device-based access controls and restrict session token usage to verified devices.
    • Leverage Device-Based Access Restrictions – Require that only managed, compliant devices are allowed to use IAP-protected resources.
    • Monitor and Audit Access Logs – Continuously track authentication attempts and token usage to detect anomalies.
    • Integrate IAP with Context-Aware Access – Adjust access controls dynamically based on risk signals such as device health and geolocation.
  •  

  • Implement Refresh Token Rotation – Enforce IAM conditions to ensure refresh tokens are short-lived and cannot be reused indefinitely. This minimizes the impact of token theft. Organizations should:
    • Set Expiration Policies for Refresh Tokens – Configure IAM policies to enforce regular token expiration and require reauthentication.
    • Use Token Exchange Mechanisms – Implement OAuth 2.0 token exchange flows to issue new tokens securely while minimizing exposure.
    • Detect and Block Stale Token Usage – Monitor API requests for attempts to reuse expired or revoked refresh tokens.
    • Integrate with Risk-Based Authentication – Require step-up authentication if refresh token behavior appears suspicious.
  •  

  • Require MFA for High-Risk Sessions – Enable context-aware access policies to dynamically enforce multi-factor authentication based on risk levels. Organizations should:
    • Define High-Risk Authentication Scenarios – Require MFA for logins from untrusted locations, unknown devices, or abnormal behavior patterns.
    • Integrate with Google Workspace Security Tools – Use security dashboards and alerts to monitor potential account takeovers.
    • Enforce Just-in-Time MFA Challenges – Prompt users for additional authentication only when necessary, balancing security and user experience.
    • Apply Adaptive Access Controls – Dynamically adjust authentication requirements based on real-time risk signals, such as failed login attempts or device health.

 

Amazon Web Services (AWS)

  • Use Cognito Identity Pools – Bind tokens to trusted devices, ensuring that session tokens are restricted to known, authorized environments. Organizations should:[14]
    • Enforce Device-Based Token Restrictions – Configure Cognito Identity Pools to issue session tokens only to managed, compliant devices.
    • Integrate with AWS IAM Policies – Apply fine-grained access controls that restrict token use based on device attributes.
    • Monitor Token Activity – Track token usage within AWS CloudTrail and detect unauthorized access attempts.
    • Apply Adaptive Reauthentication – Require users to reauthenticate if token behavior deviates from expected patterns.
  •  

  • Configure Refresh Token Expiry – Enforce IAM Identity Center policies to limit token lifespan and prevent long-term persistence. Organizations should:[15]
    • Set Short Expiry Durations – Configure token expiration policies to require periodic reauthentication and minimize exposure.
    • Implement Token Revocation Mechanisms – Enable automated revocation of refresh tokens when high-risk activity is detected.
    • Monitor for Token Reuse – Identify and block attempts to reuse expired or revoked refresh tokens.
    • Leverage AWS Security Hub – Utilize AWS Security Hub to correlate token-related security alerts with broader risk signals.
  •  

  • Require MFA for Sensitive Operations – Implement AWS IAM security policies to enforce multi-factor authentication for high-risk actions. Organizations should:[16]
    • Define High-Sensitivity Access Scenarios – Require MFA for accessing administrative consoles, modifying IAM policies, and performing financial transactions.
    • Enforce Conditional MFA Challenges – Dynamically prompt for MFA based on session risk signals, such as login from an unfamiliar location or rapid privilege escalation.
    • Integrate with AWS Organizations – Apply organization-wide policies that enforce MFA for federated accounts.
    • Audit MFA Compliance – Regularly review AWS IAM logs to ensure that MFA policies are being enforced effectively across all accounts.

 

On-Premises Active Directory (AD) Security Measures

Organizations relying on on-premises and hybrid Active Directory (AD) environments should implement security controls following best practices for AD to prevent session token theft and unauthorized access.[17] The recommendations below are based on those best practices according to Microsoft.

  1. Strengthen Kerberos Authentication Security

  • Implement Kerberos Armoring (FAST) – Enable Flexible Authentication Secure Tunneling (FAST) to provide an additional layer of encryption for Kerberos authentication exchanges. This mitigates the risk of credential interception and replay attacks. Organizations should:
    • Configure FAST in Group Policy – Deploy FAST across domain controllers and clients to ensure Kerberos requests are encapsulated in a protected tunnel.
    • Use Kerberos Armoring with Compound Authentication – Combine FAST with smart cards or Windows Hello for Business to enhance authentication security.
    • Monitor Kerberos Logs – Track authentication failures and anomalies to detect potential misuse of Kerberos tickets.
  •  

  • Enforce Ticket Lifetime Policies – Shorten the lifespan of Kerberos Ticket Granting Tickets (TGTs) and service tickets to minimize the time an attacker can use a compromised ticket. Organizations should:
    • Reduce Default TGT Lifetime – Configure Group Policy to shorten TGT lifetimes, requiring frequent reauthentication.
    • Enforce Session Ticket Expiration – Set strict expiration policies for service tickets to ensure timely revocation.
    • Implement Automatic Ticket Renewal – Require Kerberos tickets to be reissued at regular intervals, adding an additional layer of verification.
  •  

  • Rotate the krbtgt Account Password Regularly – Change the Kerberos Ticket Granting Ticket (krbtgt) password frequently to mitigate Golden Ticket attacks. Organizations should:
    • Schedule Regular krbtgt Password Resets – Rotate the krbtgt password at least every 90 days to invalidate previously stolen TGTs.
    • Use Microsoft’s krbtgt Reset Script – Automate password rotation using Microsoft’s recommended krbtgt reset script.
    • Monitor TGT Usage for Anomalies – Detect unauthorized long-lived tickets that may indicate Golden Ticket attacks.
  •  

  • Implement Privileged Access Workstations (PAW) – Restrict domain administrator logins to hardened, dedicated workstations to prevent credential theft. Organizations should:
    • Use Isolated Admin Workstations – Ensure domain administrators only log in from secure, non-internet-connected machines.
    • Enforce Network Segmentation – Restrict access to PAWs by isolating them from standard user workstations.
    • Enable Device Attestation – Validate that only approved workstations can access privileged AD accounts.

 

  1. Prevent Credential Theft and Lateral Movement

  • Enforce Credential Guard – Enable Windows Defender Credential Guard to protect against credential theft attacks such as Mimikatz. Organizations should:
    • Enable Windows Defender Credential Guard via Group Policy or Intune – Ensure that only trusted processes can access credentials stored in LSASS.
    • Use Hyper-V Virtualization-Based Security (VBS) – Protect credential storage by isolating it from the operating system.
    • Monitor for LSASS Memory Access Attempts – Detect unauthorized attempts to dump credentials using endpoint security tools.
  •  

  • Apply Protected Users Group Policy – Prevent NTLM, Kerberos pre-authentication delegation, and weak authentication mechanisms for privileged accounts. Organizations should:
    • Restrict NTLM and Kerberos Delegation – Prevent privileged accounts from using weak authentication mechanisms.
    • Enforce Smart Card or Windows Hello for Business – Require strong authentication for Protected Users group members.
    • Disable Cached Credentials for Protected Accounts – Reduce the risk of credential replay attacks by preventing local storage of credentials.
  •  

  • Monitor and Alert on Unusual TGT Requests – Use security monitoring tools to detect anomalous Kerberos activity, such as excessive ticket requests or unusual service ticket usage. Organizations should:
    • Deploy SIEM (Security Information and Event Management) Monitoring – Track Kerberos authentication events for anomalies.
    • Use Azure AD Identity Protection or Microsoft Defender for Identity – Detect suspicious authentication patterns and unauthorized ticket use.
    • Set Threshold Alerts for TGT Requests – Identify potential Golden Ticket or Pass-the-Ticket attacks by flagging excessive or long-lived TGT usage.

 

  1. Secure NTLM Authentication and Reduce Attack Surface

  • Disable NTLM Where Possible – Restrict the use of NTLM authentication and enforce Kerberos wherever feasible to reduce exposure to credential relay attacks. Organizations should:
    • Enforce Kerberos Authentication via Group Policy – Configure domain controllers and clients to prefer Kerberos over NTLM.
    • Disable NTLMv1 and NTLMv2 Where Possible – Restrict NTLM authentication by setting Network Security: Restrict NTLM policies in Group Policy.
    • Migrate Applications to Kerberos or Modern Authentication – Ensure legacy applications that still use NTLM are updated or replaced with Kerberos-compatible solutions.
    • Monitor NTLM Authentication Traffic – Use security logs and monitoring tools to identify devices and applications that still rely on NTLM.
  •  

  • Enable NTLM Auditing and Monitoring – Continuously track NTLM authentication attempts and identify systems that still rely on NTLM to reduce attack surfaces. Organizations should:
    • Enable NTLM Logging in Group Policy – Configure security policies to audit NTLM authentication attempts (Event ID 4624 and Event ID 4776).
    • Use SIEM Tools to Detect NTLM Usage – Correlate NTLM authentication events with anomalous activity to identify potential relay attacks.
    • Monitor for Unauthorized NTLM Authentication Attempts – Set up alerts for NTLM logins from unexpected hosts or privileged accounts.
  •  

  • Use SMB Signing and LDAP Signing – Enforce cryptographic signing to protect against NTLM relay attacks and unauthorized credential forwarding. Organizations should:
    • Require SMB Signing in Group Policy – Enable Microsoft network server: Digitally sign communications (always) to prevent SMB relay attacks.
    • Enforce LDAP Signing for Domain Controllers – Require Domain controller: LDAP server signing requirements to be set to Require signing to mitigate LDAP relay attacks.
    • Monitor for Unsigned Traffic – Use security monitoring tools to detect attempts to communicate with domain controllers using unsigned SMB or LDAP connections.

 

  1. Implement Conditional Access for Hybrid AD Environments

  • Integrate Active Directory with Entra ID Conditional Access – Apply risk-based authentication controls to hybrid-joined devices and users to enhance security in mixed on-premises and cloud environments. Organizations should:
    • Enforce Conditional Access for Hybrid Identities – Configure policies to evaluate user risk, device compliance, and sign-in behavior for Active Directory and Entra ID authentication.
    • Enable Hybrid Azure AD Join – Ensure that on-premises devices are registered with Azure AD to enforce cloud-based security policies.
    • Deploy Risk-Based MFA Enforcement – Require multi-factor authentication (MFA) dynamically based on risk signals detected in on-premises and cloud logins.
    • Implement Device Compliance Checks – Verify that hybrid-joined devices meet security baselines before granting access to cloud applications.
  •  

  • Require MFA for Privileged AD Logins – Enforce multi-factor authentication (MFA) for administrative access and remote logins to prevent unauthorized privilege escalation. Organizations should:
    • Apply Conditional Access MFA Policies for Admin Accounts – Require MFA for domain administrators, enterprise admins, and other privileged accounts.
    • Enforce MFA for Remote Desktop (RDP) and VPN Logins – Require strong authentication for accessing on-premises AD resources remotely.
    • Use Hardware-Based Authentication for Admins – Implement FIDO2 security keys or smart cards for highly sensitive administrative accounts.
    • Audit MFA Compliance Regularly – Use SIEM tools to track MFA enforcement and detect unprotected privileged logins.
  •  

  • Monitor Kerberos and NTLM Authentication in Hybrid Environments – Continuously track authentication attempts from on-premises systems to cloud resources to detect anomalies and potential attacks. Organizations should:
    • Enable Advanced Auditing for Kerberos and NTLM – Configure Active Directory audit policies to log authentication events (Event ID 4768, Event ID 4776).
    • Use Microsoft Defender for Identity to Detect Anomalous Authentication – Identify unusual Kerberos ticket usage and NTLM logins that may indicate credential theft.
    • Set Up Alerts for Legacy Authentication Attempts – Monitor for unauthorized NTLM authentication and block where feasible.
    • Correlate Hybrid Authentication Events in SIEM – Aggregate authentication logs from both on-premises AD and Entra ID to detect lateral movement and unauthorized access attempts.

 

  1. Implement Least Privilege and Just-in-Time (JIT) Access

  • Restrict Domain Admin and Enterprise Admin Privileges – Limit privileged account usage and enforce role-based access controls.
  • Enable Just-in-Time (JIT) Administration – Use Privileged Access Management (PAM) solutions to grant temporary admin access when needed.
  • Monitor Privileged Account Usage – Track login attempts, elevation of privileges, and lateral movement activities.

 

Conclusion

By proactively securing session tokens and implementing defense-in-depth strategies, organizations can significantly reduce the risk of token theft and unauthorized access. Just as Golden Ticket attacks reshaped Active Directory security strategies, PRT and session token theft must drive new security priorities for cloud authentication. As attackers continue to refine their tactics, staying ahead with adaptive security measures is critical to maintaining a resilient authentication framework.

 

Resources & Solution Links

 

ABOUT THE RESEARCH

This document was created by a human analyst in collaboration with generative AI.  The final content was developed, reviewed and edited by a human editor to ensure accuracy, originality, and adherence to applicable legal standards.

 

ABOUT HALOCK SECURITY LABS

HALOCK is a risk management and information security consulting firm providing cybersecurity, regulatory, strategic, and litigation services. HALOCK has pioneered an approach to risk analysis that aligns with regulatory standards for “reasonable” and “appropriate” safeguards and risk, using due care and reasonable person principles. As the principal authors of CIS Risk Assessment Method (RAM) and board members of The Duty of Care Risk Analysis (DoCRA) Council, HALOCK offers unique insight to help organizations define their acceptable level of risk and establish reasonable security. 

 

[1] Understanding Primary Refresh Token (PRT)

[2] Astaroth: A New 2FA Phishing Kit Targeting Gmail, Yahoo, AOL, O365, and 3rd-Party Logins

[3] Session Fixation Attack

[4] The Growing Threat from Infostealers

 

[5] A Guide to Replay Attacks And How to Defend Against Them

[6] Attacking browser extensions

[7] Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps

[8] Lateral Movement to the Cloud with Pass-the-PRT

[9] Manage tokens for Zero Trust

[10] Plan a Conditional Access deployment

[11] Require compliant device or Microsoft Entra hybrid joined device for administrators

[12] Continuous access evaluation in Microsoft Entra – Microsoft Entra ID | Microsoft Learn

[13]

[14] Security best practices for Amazon Cognito identity pools

[15] Security best practices in IAM

[16] Require multi-factor authentication (MFA)

[17] Best Practices for Securing Active Directory