Module 14: Investigating Token Replay and Session Hijacking
Module 12 introduced token replay as part of the AiTM attack chain — the attacker captures the session token and uses it to access the victim’s mailbox. Module 13 showed what the attacker does with that access. This module goes deep on the token itself: how M365 tokens work, why they persist after password resets, how to identify token replay in the logs vs legitimate multi-device usage, and how to deploy the controls that make token replay impossible.
Token replay is the reason AiTM phishing is dangerous. Without token replay, AiTM captures a password — useless if MFA is enforced. With token replay, AiTM captures a session that has already passed MFA — and that session remains valid for hours (access tokens) or months (refresh tokens) regardless of password changes.
This module teaches you to investigate, contain, and prevent token-based attacks with the precision that comes from understanding the underlying token mechanics.
What you will build during this module
Token Investigation Playbook. Decision tree for investigating suspected token replay: distinguishing replay from legitimate multi-device usage, identifying the token source (AiTM, malware, token theft), assessing the scope of token-based access, and executing token-specific containment.
5 Token Detection Rules. KQL analytics rules covering: sign-in from multiple IPs within session, non-interactive sign-in from non-corporate IP, token used after password reset, refresh token usage from new device, and session anomaly detection.
Token Containment Checklist. Step-by-step containment procedure specific to token-based attacks: revocation sequence, verification queries, and the distinction between access token and refresh token revocation.
CAE and Token Protection Deployment Guide. Complete deployment guide for Continuous Access Evaluation (strict mode) and Conditional Access Token Protection, with blast radius, cost, rollback, prerequisite checks, and GRC mapping.
Prerequisites
Complete Modules 1 (Defender XDR), 6 (KQL), 9 (detections), and 11 (AiTM investigation). Module 12 sections 11.1 and 11.5 provide the foundation — this module assumes you understand the AiTM attack chain and sign-in log analysis.
MITRE ATT&CK techniques covered
T1550.001 (Use Alternate Authentication Material: Application Access Token), T1528 (Steal Application Access Token), T1078.004 (Valid Accounts: Cloud Accounts), T1539 (Steal Web Session Cookie).
Compliance mapping
NIST CSF: PR.AC-7 (Authentication), DE.AE-2 (Anomalous activity detected), RS.MI-1 (Incidents are contained). ISO 27001: A.8.5 (Secure authentication), A.8.16 (Monitoring activities). SOC 2: CC6.1 (Logical access controls), CC7.4 (Respond to incidents).
How this module is structured
13.1 — How M365 Tokens Work. Access tokens, refresh tokens, primary refresh tokens, session cookies. Lifetimes, renewal, and what revocation actually does.
13.2 — Incident Briefing: INC-2026-0320-003. The scenario: a user’s password was reset after AiTM compromise, but the attacker is still accessing the mailbox 48 hours later.
13.3 — Identifying Token Replay in Sign-In Logs. Distinguishing token replay from legitimate multi-device usage. The specific log fields that differentiate them.
13.4 — Tracing Token Lifecycle. Following a stolen token from capture through renewal, resource access, and eventual expiry or revocation.
13.5 — Non-Interactive Sign-In Deep Dive. The AADNonInteractiveUserSignInLogs table — the primary evidence source for token replay. Fields, patterns, and investigation queries.
13.6 — Token-Specific Containment. Revoking access tokens vs refresh tokens. The revocation gap. Emergency vs standard revocation procedures.
13.7 — Continuous Access Evaluation (CAE). How CAE works, what it protects against, standard vs strict enforcement, and deployment.
13.8 — Token Protection (Token Binding). Conditional Access token protection — binding tokens to devices. Deployment with blast radius, prerequisites, and rollback.
13.9 — Detection Engineering. 5 deployable KQL analytics rules for token replay detection.
13.10 — Module Assessment. 20 scenario-based questions testing token investigation and containment decisions.