Token theft is now the most common way attackers break into business accounts in 2026, and it works even when multi-factor authentication is enabled. Instead of stealing a password and fighting through MFA, the attacker steals the session token your browser receives after you successfully log in, then replays that token from their own machine. To every cloud service, the attacker looks exactly like you, from exactly your session, already past the MFA check. Microsoft, Cisco Talos, and CISA have all flagged token theft as the dominant identity attack of the year, and we are seeing it hit New Jersey small and mid-sized businesses weekly. The good news is that the defenses are well understood. The bad news is that most SMBs have not turned them on yet.
What Is a Session Token, and Why Is It Valuable?
When you sign in to Microsoft 365, Google Workspace, Salesforce, or almost any modern SaaS application, the service does not force you to re-enter your password and MFA code on every page load. Instead, after a successful sign-in, the service hands your browser a session token, a short string that acts like a temporary keycard. For the next several hours or days, your browser presents that token and the service trusts it.
Tokens exist because the alternative, prompting for MFA on every click, would make cloud applications unusable. The tradeoff is that anyone who has the token has your access until it expires. Not your username. Not your password. Not a second factor. Just the token. An attacker who gets it is already inside.
How the Attack Actually Works in 2026
Two delivery methods dominate right now. Both are cheap, both are automated, and both work against MFA.
The first is adversary-in-the-middle phishing, usually shortened to AiTM. The attacker sends a phishing email with a link to a site that looks identical to the real Microsoft or Google login page. When the victim types their username and password, the attacker's server forwards those to the real service in real time. When the real service sends back an MFA prompt, the attacker forwards that too. The victim approves the MFA push on their phone. The real service issues a valid session token, and the attacker's server intercepts it in flight. The victim ends up logged in, sees the normal dashboard, and has no idea anything is wrong. Meanwhile, the attacker has a fully authenticated session token on their own laptop. Frameworks like Evilginx, Tycoon 2FA, and Mamba 2FA have industrialized this attack. A working kit costs under three hundred dollars a month on the cybercrime economy.
The second is infostealer malware. A user downloads a cracked app, a fake browser update, a poisoned Google search result, or a malicious email attachment. The malware runs for thirty seconds, harvests every session cookie and saved credential from every browser on the machine, ships them off to a command-and-control server, and deletes itself. Stealers like LummaC2, RedLine, and StealC are responsible for the majority of the tokens being sold on criminal forums right now. A full browser dump from a corporate laptop sells for fifteen to fifty dollars depending on what it includes.
In both cases, the attacker ends up with a live token and can log in as you from anywhere in the world, bypassing MFA entirely.
Why Your MFA Did Not Save You
MFA stops password-guessing and credential-stuffing attacks. That is what it was designed for. It does not stop an attacker who already has a valid post-MFA token, because the token itself is the proof that MFA was completed. The service has no way to tell that the token is being replayed from a different computer.
This is not an argument against MFA. MFA remains essential and every business should require it. The argument is that MFA is no longer sufficient. In 2026, identity attacks have moved past the MFA prompt, and your defenses need to move past it too.
Who Is Being Targeted?
Everyone, but with a clear pattern. The highest-value tokens are for finance, HR, and executive assistant accounts, because those users have direct access to banking portals, payroll systems, and the CEO's calendar and inbox. We have worked incidents where an attacker used a stolen finance token to set up a rule that forwarded every email containing the word "invoice" to an external inbox, then quietly replaced an outgoing invoice PDF with one that pointed to the attacker's bank account. The victim's customer paid a real invoice, the money went to the wrong place, and the compromise was not discovered for weeks.
New Jersey professional services firms, healthcare practices, and municipal government contractors are seeing this attack land at a rate we have not seen before. The attacker does not need to be sophisticated. The attacker needs to buy a phishing kit, buy a domain, and send a believable email. The economics favor the attacker.
The Controls That Actually Stop Token Theft
The defenses here are not hypothetical. They are all shipping in your existing Microsoft, Google, or Okta tenant today, and most of them are either free or included in the license tier you already pay for.
Phishing-resistant MFA, not push notifications. Passkeys, FIDO2 security keys, and Windows Hello for Business cryptographically bind the MFA response to the real login domain. AiTM phishing sites fail because the key refuses to authenticate against anything other than the genuine domain. Push notifications, SMS codes, and authenticator app codes do not have this protection. Every business should be migrating away from push MFA toward phishing-resistant MFA in 2026. This is the single most impactful change you can make.
Token protection and continuous access evaluation. Microsoft Entra and Google Workspace both support token binding features that tie a session token to the specific device that received it. When an attacker replays the token from a different device, the service revokes the session. Continuous Access Evaluation evaluates risk signals mid-session and kills suspicious sessions in near-real-time. These are configuration toggles, not expensive add-ons.
Conditional access policies that block risky sign-ins. Require compliant devices, block sign-ins from unfamiliar countries, block sign-ins from anonymizer networks, and require elevated authentication for high-risk actions like adding OAuth apps or changing mail forwarding rules. A well-tuned conditional access policy stops most replay attempts before the attacker can use the token.
Endpoint detection with token-theft signatures. Modern EDR tools flag the behaviors that infostealers rely on, such as bulk reads of browser cookie databases, memory-scraping patterns, and process injections into browser processes. If your current endpoint product cannot do this, it is overdue for a refresh. We cover device hardening and monitoring in our managed IT services engagements.
Inbox-rule and OAuth-app monitoring. Every account takeover we have responded to in the past year included at least one of these two post-compromise actions: a new inbox rule that forwarded or hid mail, or a new consented OAuth app that retained persistent access even after the password was reset. Alert on both. Automatically disable both pending review. Your cybersecurity services provider should already be watching for this.
Short, enforced session lifetimes for privileged roles. Global administrators, finance users, and HR users should have sessions that expire faster and require re-authentication more often. The inconvenience is small. The reduction in token value is large.
What to Do This Quarter
If you do nothing else this quarter, do these three things. Turn on phishing-resistant MFA for every administrator and every finance or HR user, with passkeys or security keys as the default. Enable token protection and continuous access evaluation in your identity tenant. Set up alerts for new inbox forwarding rules and new OAuth app consents, and have someone on your team or your MSP actually receive and triage those alerts.
The attackers are not going to stop. The phishing kits are getting better, the infostealer ecosystem is getting cheaper, and the tokens are getting easier to replay. The businesses that move first on phishing-resistant MFA and token protection are going to be invisible to the majority of these attacks. The ones that wait are going to be the case studies our sales team uses next year.
Frequently Asked Questions
If MFA can be bypassed, should we stop requiring it?
No. MFA still stops a very large category of attacks, including every password-only attempt and most credential-stuffing campaigns. The right move is to keep MFA on and upgrade to phishing-resistant factors such as passkeys or FIDO2 keys, and to add token protection on top. MFA is the floor, not the ceiling.
Are passkeys really that much better than an authenticator app?
Yes, for this specific threat. Passkeys and FIDO2 keys verify the actual domain of the login page before releasing the cryptographic response. A fake login page cannot complete the handshake because it is not the real domain. Authenticator app codes and push notifications do not perform this check, which is why they can be phished through an AiTM proxy. For user experience, passkeys are also faster than pulling out a phone and typing a six-digit code.
We are a small NJ business without a dedicated security team. Is this too advanced for us?
It is not. Token protection, conditional access, and passkeys are all standard features in Microsoft 365 Business Premium and comparable Google Workspace plans. Most of the configuration is a series of policy toggles, not a platform migration. If you do not have an in-house security team, this is exactly the kind of work your managed IT provider should be doing for you as part of the monthly service, and you should ask them directly whether it is already in place.