Most UAE organisations now use some form of MFA — SMS codes, authenticator apps, or email OTPs.
It’s become the standard security advice: “Turn on MFA to stay safe.”
But over the last year, a quiet shift has happened.
Even with MFA enabled, attackers are still getting into business email accounts, cloud dashboards, and internal systems. And in many cases, employees did everything right — they entered the correct password, approved the login, and yet the attacker still got in.
The reason?
A technique called MFA token theft.
What Does MFA Token Theft Even Mean?
When you log in using MFA, your browser or app receives something called a session token.
A good way to picture it is like getting a stamp on your hand at a concert:
- You show your ticket (password)
- You get a stamp (MFA token)
- Now security won’t ask you again for the ticket — you can move in and out freely
Attackers realised:
If they steal that stamp, they can walk right in — without ever touching MFA again.
That’s the entire idea behind MFA token theft.
How MFA Token Theft Actually Happens
There are several techniques, but here are the most common ones seen in the region :
Fake Microsoft/Google Login Pages (Reverse Proxy Attacks)
This method is popular because it looks so real that even trained employees fall for it.
Here’s the flow:
- You click a link that looks like a Microsoft 365 login
- You enter your email and password
- You enter your OTP
- The login works — everything looks normal
- But behind the scenes, a fake page acted as a “middleman” and quietly captured your session token
Attackers now have what they need to login as you without MFA.
Info-Stealer Malware
If a laptop or browser gets infected :
- Saved cookies
- Login sessions
- MFA tokens
…can all be extracted and reused by attackers. This is one reason why outdated browsers or unpatched laptops become major risks.
Session Replay & Browser Sync
Some users have browser sync enabled (Chrome, Edge, Firefox).
If that synced account is compromised, attackers may inherit live sessions too.
In short — your session “travels” farther than you think.
Why UAE Businesses Are Seeing More of These Attacks
A lot of organisations in the UAE rely on :
- Microsoft 365
- Google Workspace
- Remote access tools
- BYOD laptops and mobiles
That means a single compromised account can lead to:
- Fake invoices sent to clients
- Payroll fraud
- HR mailbox compromise
- Internal document theft
- Supplier payment manipulation
We’ve seen incidents where just one stolen session token led to weeks of unnoticed access.
A Real Example
Toward the end of 2024, a Dubai-based firm experienced a targeted phishing campaign. Employees logged into a near-perfect Microsoft 365 clone page.
- Their credentials were valid
- They completed MFA
- The login even redirected correctly
But their tokens were captured.
Attackers entered the mailbox, monitored conversations, and eventually sent a modified invoice to a client — resulting in financial loss.
This isn’t rare anymore — it’s becoming standard attack behaviour.
How UAE Companies Can Reduce MFA Token Theft Risks
Here are practical, realistic steps that most organisations can apply :
Switch to phishing-resistant MFA
- FIDO2 security keys (YubiKey)
- Passkeys
- Platform-bound credentials
Strengthen session controls
- Reduce token lifetime
- Require reauthentication for sensitive actions
Improve sign-in protections
- Block high-risk IPs
- Require MFA for new devices
- Alert on unusual travel or impossible login patterns
Train employees on modern phishing
- Show them real “proxy-style” phishing screenshots — not old-fashioned fake emails.
Tools & Resources
- Microsoft Security Blog — AiTM Attacks
- https://www.microsoft.com/en-us/security/blog/tag/adversary-in-the-middle/
- Google Workspace Security — Account Protection
- https://support.google.com/a/topic/7582930
- Cloudflare Zero Trust Learning Center
- https://www.cloudflare.com/learning/security/zero-trust/
Conclusion — The Modern Login Problem
MFA still matters.
It prevents a huge amount of everyday cybercrime.
But as attackers evolve, the way we secure accounts has to evolve too.
Understanding MFA token theft is the first step toward modern, cloud-aware security. Whether you’re a small team in Dubai or a large enterprise in Abu Dhabi, ensuring that your users, devices, and sessions are protected is essential.
If you’d like help reviewing your cloud login security or strengthening Microsoft 365 and Google Workspace protection, Eshield IT Services can support you with practical, UAE-focused cybersecurity solutions.
