They Don't Need Your Password Anymore
Attackers are bypassing your MFA by stealing session tokens — your browser's proof that you already logged in. Here's how it works and what actually stops it.
Last month I helped a friend figure out why someone had drained their crypto exchange account. They had a strong, unique password. They had two-factor authentication enabled. They hadn't clicked any phishing links — at least, not knowingly.
The attacker didn't need the password or the 2FA code. They had something better: a stolen session token.
This is the attack that's making MFA feel like a screen door on a submarine, and it's happening at a scale most people don't realize.
What Session Tokens Are (And Why They Matter)
Every time you log in to a website, the server gives your browser a session token — a cookie that says "this person already proved who they are." From that point on, your browser sends that token with every request instead of asking you to log in again. It's why you can close Gmail and reopen it without entering your password.
That token is, functionally, your identity. Whoever holds it is you, as far as the server is concerned. It doesn't matter how strong your password was or how many factors you used to authenticate. The token is the proof that all of that already happened. If someone copies it into their own browser, they skip the entire login process.
This isn't a new concept. Session hijacking has been around since the early days of the web. What's changed is that stealing these tokens has become industrialized.
Three Ways Attackers Steal Your Sessions
1. Infostealers: The Assembly Line
Infostealer malware is the most common method. These are lightweight programs — often delivered through pirated software, fake downloads, or malicious ads — that grab everything valuable from your browser in seconds: saved passwords, autofill data, and every session cookie.
The big names you'll see in security reports are Lumma, RedLine, Raccoon, and Vidar. They're sold as subscription services on Telegram and dark web forums. A Lumma license costs around $250/month. The operator gets a dashboard showing every machine they've infected and every credential harvested.
Here's the part that should bother you: infostealers don't just grab your password. They grab the cookie that replaces your password after login. Even if you're using a password manager and hardware 2FA, the session token is sitting right there in your browser's cookie storage, and the infostealer takes it.
The stolen tokens end up on markets — Genesis Market got shut down but a dozen replacements popped up — where buyers can purchase a complete browser fingerprint: your cookies, your screen resolution, your timezone, your browser plugins. They load the whole package into an anti-detect browser and they are you.
2. Adversary-in-the-Middle (AiTM) Phishing
This is the sophisticated version, and it's growing fast. You get a phishing email. The link takes you to what looks like a Microsoft 365 or Google login page. You enter your password. You complete MFA. You see your inbox.
Everything felt normal because it was — sort of. You were actually logging in through a reverse proxy controlled by the attacker. The proxy sat between you and the real Microsoft server, passing your credentials through to the real site, completing the real MFA challenge, and then capturing the session token that came back.
Tools like EvilGinx2 make this trivially easy to set up. An attacker with basic technical skills can deploy a phishing proxy in an afternoon. The victim completes a legitimate login flow, gets a legitimate session, and never suspects anything. Meanwhile, the attacker has a copy of that session token and can use it from anywhere.
This is why security teams have started calling TOTP codes (those six-digit authenticator app codes) "phishable MFA." They still protect against attackers who only have your password. They do nothing against an attacker who's proxying your entire login session in real time.
3. Malicious Browser Extensions
A browser extension with the right permissions can read every cookie on every site you visit. That includes session tokens. Some malicious extensions have been caught doing exactly this — silently exfiltrating cookies while providing some seemingly useful functionality like a PDF converter or a screenshot tool.
This one is less common than infostealers or AiTM, but it's worth mentioning because people tend to install extensions casually. I wrote about browser extension security recently — the short version is that an extension with "read and change all your data on all websites" permission has the access to steal every session you have.
Why MFA Doesn't Stop This
Let me be clear: MFA is still worth using. It still blocks the most common attack — someone who bought your leaked password from a breach and tries to log in. That attack is orders of magnitude more common than session token theft.
But MFA protects the login. It doesn't protect the session that comes after. Once you've authenticated, the session token carries all the trust. MFA did its job — it verified you at the gate. The problem is that someone photocopied your wristband after you walked through.
This is a fundamental architectural issue with how web authentication works. The entire web was built on the assumption that if you prove your identity once, a cookie can carry that proof forward. That assumption breaks when the cookie can be stolen.
Real Damage, Real Scale
Microsoft's threat intelligence team reported that AiTM phishing attacks targeting their customers increased by over 150% in 2024, and the trend hasn't slowed. They specifically called out token theft as one of the top techniques used to compromise enterprise environments.
On the infostealer side, the numbers are staggering. Security researchers have identified logs from hundreds of millions of infected machines circulating on dark web markets. Each log contains a full set of browser data — cookies, passwords, autofill — from one victim's machine. And these logs are cheap. A few dollars gets you someone's entire browser identity.
A single stolen session token for a corporate email account can be the starting point for a business email compromise that costs the company millions. Get into one mailbox, find invoice threads, redirect payments. It happens every day.
What Actually Protects You
Keep Infostealers Off Your Machine
This is the highest-leverage defense. Most session token theft starts with an infostealer.
- Don't download pirated software. This is the number-one infostealer distribution method. That cracked Photoshop or game trainer is a session-stealing subscription service waiting to upload your browser data.
- Be skeptical of software you find through search ads. Malvertising — malicious ads that appear at the top of search results — is a major infection vector. If you're looking for a tool, go to the official website directly.
- Keep your OS and browser updated. Many infostealers exploit known vulnerabilities that patches have already fixed.
- Use an up-to-date antivirus/EDR. Windows Defender has gotten good at catching commodity infostealers. Let it do its job.
Use Phishing-Resistant Authentication
This is the real answer to AiTM attacks: authentication methods that are cryptographically bound to the real website and can't be proxied.
Passkeys are the big one. A passkey is tied to the specific domain you created it for. If an attacker sets up a proxy at micros0ft-login.com, your passkey for microsoft.com simply won't activate. The phishing proxy gets nothing because the authentication ceremony never happens. I wrote a full guide on setting up passkeys — if you haven't switched yet, now's a good time.
Hardware security keys (YubiKeys, etc.) work the same way. The key verifies it's talking to the real website before signing the authentication challenge. No proxy can fake this.
TOTP codes and SMS codes don't have this property. You type them into whatever page is in front of you, and if that page is a proxy, the attacker captures them in real time.
Shorten Session Lifetimes
This is more of a corporate defense, but if you manage systems: shorten session token lifetimes. A token that expires in an hour gives attackers a one-hour window. A token that lasts 30 days gives them a month.
Yes, shorter sessions mean users re-authenticate more often. That's annoying. But the trade-off is meaningful. A stolen token with a 24-hour lifetime is dramatically less valuable than one that works for weeks.
Watch for Suspicious Sessions
Most major services let you see your active sessions:
- Google: myaccount.google.com/security → Your devices
- Microsoft: account.microsoft.com → Devices & sessions
- GitHub: Settings → Sessions
Check these periodically. If you see a session from a location you don't recognize — especially a different country — revoke it and change your password. The attacker had your token, and invalidating the session kills it.
Enable "Require Re-authentication" Where Available
Some services offer options to require re-authentication for sensitive actions — changing passwords, transferring money, modifying security settings. Enable these. Even if an attacker has your session token, they'll hit a wall when they try to do the most damaging actions.
Watch Your Browser Extensions
Audit what's installed. Remove anything you don't actively use. Check the permissions of what's left. An extension that needs access to "all sites" for a legitimate reason (like a password manager) is different from a weather widget requesting the same permission.
What's Coming: Token Binding and Device-Bound Sessions
The long-term fix is making session tokens impossible to use outside the device they were issued to. Google has been working on Device Bound Session Credentials (DBSC), which ties session cookies to a cryptographic key stored in the device's TPM chip. A stolen cookie would be useless on a different machine because the attacker can't extract the TPM-bound key.
Microsoft has similar efforts underway with token protection policies in Entra ID (their corporate identity platform). When enabled, access tokens are bound to the device, and using them from a different device triggers re-authentication.
These technologies are rolling out incrementally. They'll take years to become universal. But they represent the right architectural fix — making the token itself useless without the device that earned it.
What to Do Today
Here's the priority order:
- Switch to passkeys on your most important accounts. This is the single most effective thing you can do against both password theft and AiTM session theft.
- Review your active sessions on Google, Microsoft, GitHub, and your bank. Revoke anything you don't recognize.
- Stop downloading sketchy software. If you've pirated anything recently, assume your browser data has been stolen and rotate your passwords.
- Audit your browser extensions. Remove the ones you don't use. Check permissions on the rest.
- Enable re-authentication requirements for sensitive actions wherever available.
The uncomfortable reality is that the password-plus-MFA model we've relied on for the past decade has a structural weakness, and attackers have found it. Your MFA still matters — it still blocks the most common attacks. But the session token sitting in your browser is the real prize now, and protecting it requires thinking beyond the login page.
The good news is that the defenses exist. Passkeys, hardware keys, device-bound sessions — the technology to fix this is already here. It just needs you to actually turn it on.
Sources: Microsoft Security Blog, BleepingComputer, KrebsOnSecurity