Over the past few years, Multi-Factor Authentication (MFA) has been pushed as the gold standard for securing business accounts, and for good reason. Enabling MFA reduces the risk of account compromise by over 99%, according to Microsoft.
But the conversation has started to shift.
We're now seeing MFA fatigue in users, and worse, some organisations still haven’t enforced it at all. Even among those that have, there's a dangerous sense of complacency: "We’ve got MFA, so we’re safe."
MFA is still essential - but it’s no longer enough on its own.
A growing threat called session hijacking is bypassing MFA entirely, and it's already being used to target Microsoft 365, Microsoft personal accounts and Google accounts like yours.
MFA Is Under Attack
Attackers know they can’t always steal your password. They also know your MFA app or code might stop them. So instead, they’ve started targeting the next weak link: your session token. This is the digital pass that tells Microsoft or Google that you're already signed in.
This token is what lets you stay logged in without constantly entering your credentials. If an attacker steals that token, they can access your account silently, without needing your password or ever triggering MFA again.
And that's where session hijacking comes in.
Session Hijacking: A New Risk That’s Hard to Spot
Session hijacking isn’t new, but it’s becoming much more common, and much easier for attackers to exploit. The tools to do it are freely available on the internet.
Why is it hard to spot? Users now work across multiple devices, sign into cloud platforms from everywhere, and often don't log out fully. That convenience comes with a price.
What Is Session Hijacking?
Session hijacking is when a hacker steals a valid login session from a user who has already authenticated. Instead of breaking in with brute force or tricking you into giving up your password, they simply intercept or steal the session token your device uses after login.
It’s like copying a keycard from someone already inside the building.
With that token, the attacker bypasses:
- Password requirements
- MFA checks
- Most security alerts
They appear as a legitimate user, and unless you’re monitoring closely, you’ll have no idea they are inside your system.
Why Is It Dangerous, and Who’s at Risk?
The danger lies in its invisibility. Because there’s no failed login, most traditional security tools don’t raise any red flags.
Attackers can:
- Access and download sensitive documents
- Send phishing emails from your account
- Change mailbox rules or security settings
- Steal, encrypt and delete your data
- Implant further malware or backdoors for future activities
Anyone using Microsoft or Google tools without advanced security policies are at risk. This includes businesses of all sizes, especially those relying on default security settings, basic MFA, or older devices.
What You Can Do to Protect Your Data from Session Hijacking
Here are some simple steps we recommend for safeguarding your business accounts and data:
General Best Practices:
- Sign out from unused sessions regularly
- Avoid public Wi-Fi
- Use up-to-date, secure browsers
- Limit session lengths using policy settings
Adopt Phishing-Resistant Authentication:
Basic MFA using SMS or authenticator apps is vulnerable to phishing. Instead, use:
- FIDO2 security keys (e.g. YubiKey)
- Windows Hello for Business
-
Certificate-based authentication
These are more for larger business, and are designed to prevent credentials and tokens from being reused or intercepted.
Use Security Tools That Detect and Respond:
- Enable real-time threat detection on all endpoints
- Monitor sign-in anomalies (new countries/devices)
- Enforce Conditional Access policies to control access based on risk, location, device, and user behaviour
How Microsoft 365 Business Premium Now Protects Against Session Hijacking
If you're using Microsoft 365 Business Premium, you’ve now got access to the tools needed to combat session hijacking. You just need to configure them properly.
Microsoft’s Latest Defences:
- Token protection policies: Tied to a device, tokens become unusable if copied elsewhere.
- Sign-in risk detection: Flags and blocks suspicious login patterns — even with valid credentials.
- Conditional Access policies: Prevent access from unknown or unmanaged devices.
- Defender for Office 365: Blocks malicious links, attachments, and phishing attempts before users can click.
Combined, these features help detect and prevent token misuse before damage is done.
Don’t Ditch MFA - Just Improve It
Despite the risks, don’t be tempted to abandon MFA. It's still a crucial layer in your cyber defence strategy.
What’s changing is how you use MFA:
- Ditch weak MFA methods (like SMS)
- Upgrade to phishing-resistant options
- Enforce MFA across all accounts, not just admin users
And remember: MFA fatigue is real. Communicate with users clearly, train them well, and make secure access as seamless as possible.
How PS Tech Helps Businesses Stay Secure
At PS Tech, we work with growing businesses to ensure their Microsoft 365 environment is secured beyond the basics. That includes:
- Enforcing Multi-Factor Authentication
- Designing and managing Conditional Access policies
- Deploying Security for computers and Microsoft 365
- Configuring phishing protection, Safe Links, and Safe Attachments
- Securing DNS and email domain settings (SPF, DKIM, DMARC)
- Delivering end-user awareness training
- Continuous monitoring for unusual logins or threats
- Ensuring compliance with Cyber Essentials
We make sure your users stay protected, your data stays private, and your Microsoft environment works for your business.
Ready to Check Your Microsoft 365 Security?
If you're unsure whether your systems are protected against session hijacking or other modern threats, let's talk.
Get in touch for a Microsoft 365 security review.
Let’s make sure the next attack never gets past your front door.