A user types their password, taps the MFA prompt on their phone, lands on the real Microsoft 365 page. Meanwhile someone in another country is already reading their inbox.

No password was cracked. The attacker just stole the session cookie Microsoft handed out after login. From that point the cookie is the user, and MFA is irrelevant.

How it actually works

When you sign in to Microsoft 365, Entra ID drops a session cookie in your browser. That cookie is what keeps you logged in for days at a time. Copy it onto another machine and Microsoft sees the same authenticated session. No password prompt, no MFA challenge.

The trick is getting the cookie. That's where Adversary-in-the-Middle phishing comes in. Kits like EvilProxy, Tycoon 2FA and Mamba 2FA don't bother with fake login pages. They run a reverse proxy in front of the real Microsoft login. The victim authenticates against the actual Microsoft endpoint. The proxy quietly logs the password and grabs the session cookie on its way back.

The user never notices. They got logged in. The site had a valid certificate. MFA worked the way it always does. The attacker walks away with a cookie that lets them act as that account for the lifetime of the session.

This is not theoretical. EvilProxy has been hitting Fortune 500 executives for years. Tycoon 2FA is one of the most common phishing-as-a-service platforms in business email compromise cases. Storm-0558 forged tokens for US government Outlook accounts in 2023 by stealing a Microsoft signing key. Different methods, same lesson: a valid token is enough.

What actually stops it

Awareness training does not. The login page is real, the certificate is real, the user did everything they were told.

What works is moving the trust off the password and onto the device. FIDO2 security keys and Windows Hello for Business sign cryptographic challenges that are bound to the real Microsoft domain. A reverse proxy cannot relay them, full stop. If you do one thing this quarter, do that.

After that it is Conditional Access doing its job. Require managed, compliant devices for anything sensitive. Turn on Token Protection so the cookie is bound to the machine that received it. Shorten session lifetimes for admins and finance. Enable Continuous Access Evaluation so a risky session can be killed in minutes instead of hours. Alert on the obvious post-theft pattern, a token suddenly used from a new country right after a normal sign-in.

Most teams already pay for these features. Few have them turned on cleanly. Conditional Access has holes, legacy auth is still allowed somewhere, a break-glass account has no MFA at all, Token Protection is sitting unused. That is the gap SecValley's CSPM platform is designed to find, with 500+ checks across Microsoft 365, Entra ID and Azure focused on the identity hygiene that decides whether a stolen cookie is worth anything.

MFA is not dead. It is just no longer the whole defense. The session is the new asset. Treat it like one.