Key Takeaways: Multi-factor authentication is one of the best security upgrades a small business can make, but attackers have found ways to go around it without ever touching your password. Session hijacking lets them steal proof that you’re already logged in and reuse it to access your accounts, cloud apps, and business data without triggering a single authentication prompt. This post explains how it works in plain terms, why standard MFA doesn’t stop it, and what layered controls actually do.
Most business owners who have set up multi-factor authentication feel like they’ve closed the biggest gap in their security. And to be fair, MFA does close a lot of gaps. Microsoft’s data consistently shows it blocks more than 99% of automated credential attacks. It’s one of the highest-return security investments a small business can make.
But attackers have adapted. They’re not always trying to defeat your login anymore. They’re targeting what happens after your login succeeds.
In 2025 alone, infostealer malware collected over 94 billion browser cookies, many of them containing active session tokens from authenticated business accounts. Research from 2025 found that 54% of ransomware victims had their domain credentials, including session tokens, appear on the dark web before the attack occurred. MFA protected the login. It did nothing to protect what came after.
Understanding session hijacking isn’t about becoming a cybersecurity expert. It’s about understanding a real shift in how attacks work so you can make better decisions about how to protect your business.
What Is Session Hijacking and Why Does It Bypass MFA?
Session hijacking is when an attacker steals proof that you’re already logged in and uses it to access your accounts without going through the login process at all.
Here’s the mechanic. When you sign into a web application, your browser receives a session token, often stored as a cookie, that tells every subsequent page request “this person already authenticated, let them through.” It’s the digital equivalent of a wristband at an event. Once you have it, you don’t get checked at the door again.
MFA protects the door. It does not protect the wristband.
If an attacker can get hold of that session token, they can import it into their own browser and pick up your session exactly where you left it. No password prompt. No MFA challenge. No notification to you that anything happened. According to security researchers at NetSecurity, attackers now operate specifically in the gap between authentication and the session itself because MFA creates a false assumption that an authenticated session is a trusted one.
This is not a flaw in MFA. It’s a limitation. MFA verifies identity at a single point in time. Sessions represent ongoing trust. Those are two different things, and attackers have learned to exploit the difference.
How Do Attackers Actually Steal Session Tokens?
There are three main methods, and they’re more accessible to attackers than most business owners realize.
Adversary-in-the-Middle phishing. This is the most common technique used in targeted attacks against businesses. The attacker sets up a fake login page that acts as a real-time relay between you and the legitimate site. You see what looks like a normal login. You enter your credentials. You complete your MFA prompt. Everything appears to work, because it does: the attacker’s proxy is forwarding everything to the real site in real time. What you don’t see is that the attacker’s proxy has captured your session token the moment the real site issued it. Tools that automate this process, including phishing-as-a-service kits, are now available to attackers with minimal technical skill. MFA fatigue attacks appeared in 14% of security incidents in the 2025 Verizon Data Breach Investigations Report, and AiTM phishing was the dominant technique behind most of those.
Infostealer malware. This approach doesn’t require phishing at all. Infostealer malware infects an endpoint and silently extracts every session cookie stored in the browser’s local database. It packages them and sends them to attacker-controlled infrastructure, often within minutes. The attacker then has authenticated session tokens for every cloud app, SaaS platform, and business tool the infected employee was logged into. Families like LummaC2, RedLine, and Raccoon are purpose-built for exactly this. The infection can arrive through a malicious download, a compromised browser extension, or a phishing email with a file attachment.
Compromised browser extensions. As covered in our browser extension security post, extensions that run inside the browser have access to the same session data that an infostealer would harvest. A compromised or over-permissioned extension can extract session tokens from authenticated tabs without additional malware. This is why browser extension governance is part of the same security conversation as MFA.
Does Standard MFA Offer Any Protection Against This?
Standard MFA, meaning SMS codes, push notifications, and authenticator app one-time codes, offers no protection against session hijacking once authentication is complete.
That’s an important distinction. Standard MFA protects the login event. Once you’re logged in and the session token is issued, your MFA has done its job and is no longer involved. If that token is stolen two minutes later by infostealer malware, the attacker can use it freely until it expires.
There is a category of MFA that does offer protection: phishing-resistant authentication using FIDO2 standards, including passkeys and hardware security keys. These methods use cryptographic keys that are bound to a specific domain. During an AiTM phishing attack, the fake site can’t satisfy the cryptographic challenge that a real FIDO2 authentication requires, so the attack fails at the login step before a session token is ever issued.
NIST’s updated SP 800-63-4, finalized in 2025, makes phishing-resistant authentication mandatory at the highest assurance levels and specifically cites hardware-bound, non-exportable private keys as the requirement. Microsoft, Google, and Apple all support passkeys natively across their platforms, and major platforms including Microsoft 365 and Google Workspace support FIDO2 enrollment today.
Cloudflare demonstrated the practical impact in a 2022 incident. A coordinated phishing campaign hit over 130 organizations. Twilio was breached because employees entered credentials on a convincing phishing proxy. Cloudflare was targeted with the same technique and blocked it entirely because their staff were using FIDO2 hardware security keys. The keys refused to authenticate to a site that wasn’t cryptographically the legitimate destination, even though employees had clicked the phishing link.
For Louisville businesses managing Microsoft 365 environments, our managed IT services team can help you evaluate and deploy phishing-resistant authentication options that are practical for your team size and environment.
What Controls Actually Reduce Session Hijacking Risk?
Upgrading to phishing-resistant MFA is the most effective single step, but it doesn’t address the infostealer malware path, which bypasses authentication entirely by stealing cookies after the fact. Addressing that requires a layered approach.
Keep endpoints clean and managed. Infostealer malware needs to infect a device before it can harvest session tokens. Managed endpoints with up-to-date endpoint protection, timely patching, and restricted software installation dramatically reduce the infection surface. Our cybersecurity services include endpoint management as a core component because device hygiene is one of the most direct controls against this attack path.
Tighten session timeouts. Most cloud applications allow administrators to configure how long sessions stay valid before requiring re-authentication. Shorter session lifetimes reduce the window an attacker has to use a stolen token. A token that expires in two hours is significantly less valuable than one that remains valid for two weeks. For high-sensitivity applications, requiring re-authentication before performing sensitive actions is worth the minor friction.
Monitor for session anomalies. Stolen session tokens get used from locations, IP addresses, and device profiles that don’t match the legitimate user’s normal patterns. Impossible travel (a session active in Louisville and London within the same hour), unusual access times, and unfamiliar device fingerprints are all detectable signals. Monitoring for these patterns is how session hijacking gets caught after a token is stolen but before significant damage is done.
Govern browser extensions. Extensions with permission to read and modify all sites have access to session tokens in authenticated tabs. Maintaining an approved extensions list and auditing installed extensions regularly removes one of the quieter paths to session theft.
Train your team on what phishing looks like now. AiTM phishing pages are visually identical to the real login page. The only reliable behavioral signal is that the URL is wrong. Teaching employees to check the domain before entering credentials, and to treat any unexpected login request with skepticism regardless of how legitimate it looks, is part of cybersecurity awareness training that complements technical controls rather than replacing them.
Conclusion
MFA is still worth having. It’s still one of the best controls a small business can deploy. But the threat model has moved, and treating MFA as the finish line leaves a meaningful gap that attackers are actively exploiting.
Session hijacking targets what happens after authentication succeeds. The response is layered: upgrade toward phishing-resistant MFA for high-value accounts, keep endpoints managed and patched, tighten session timeouts, and monitor for the anomalies that indicate a stolen token is being replayed.
None of these steps require a large IT budget. They require consistency and a clear understanding of where the real risk sits.
If you want help reviewing your current authentication setup and building a practical layered security baseline for your team, contact Z-JAK Technologies here. We help Louisville businesses close the gap between MFA-as-a-checkbox and security that actually holds up against how attacks work today.
Frequently Asked Questions
What is session hijacking and how does it affect small businesses?
Session hijacking is when an attacker steals the authentication token your browser receives after you successfully log in to a web application, then uses that token to access your account without going through the login process. For small businesses, this means an attacker can access your cloud apps, email, CRM, and financial tools even if you have MFA enabled, because MFA only protects the login event and not the session that follows it. According to 2025 research, over 94 billion browser cookies containing session tokens were collected by infostealer malware in that year alone.
Does multi-factor authentication stop session hijacking?
Standard MFA, including SMS codes, push notifications, and authenticator app codes, does not protect against session hijacking after authentication is complete. It protects the login step but not the session token issued afterward. Phishing-resistant MFA using FIDO2 standards, such as passkeys and hardware security keys, does offer protection against adversary-in-the-middle phishing attacks because the cryptographic keys are bound to a specific domain and cannot be relayed through a fake login page. However, even phishing-resistant MFA does not protect against infostealer malware that extracts session cookies directly from a compromised device.
What is adversary-in-the-middle phishing and how does it capture session tokens?
Adversary-in-the-middle phishing works by placing an attacker-controlled relay server between the victim and the legitimate login page. The victim sees what looks like the real site, completes their credentials and MFA prompt, and everything appears to work normally because the relay is forwarding everything to the real site in real time. What the victim doesn’t see is that the relay captures the session token the moment the real site issues it. Automated kits that enable this attack are widely available and require minimal technical skill to operate, which is why it has become the dominant method for bypassing MFA in business email compromise and account takeover attacks.
How can a business detect if a session token has been stolen and is being replayed?
The most reliable detection signals are session anomalies: activity from unusual IP addresses or geographic locations inconsistent with the user’s normal patterns, logins from device types or browsers the user doesn’t normally use, and access at unusual times of day. Impossible travel events, where a session appears active from two distant locations within an implausibly short window, are a strong indicator of token replay. Most identity platforms including Microsoft Entra and Google Workspace include these signals in their access logs and can be configured to alert on them or require step-up authentication when they’re detected.
What is phishing-resistant MFA and is it practical for small businesses?
Phishing-resistant MFA uses cryptographic keys stored on a device to prove identity, rather than codes that can be intercepted or relayed. The two most common forms are passkeys, which use biometrics or device PIN and are supported natively on iPhones, Android devices, Windows, and Mac, and hardware security keys like YubiKey. Passkeys in particular are highly practical for small businesses because they require no additional hardware, work with existing devices your team already owns, and are supported by Microsoft 365, Google Workspace, and most major SaaS platforms. NIST’s updated 2025 guidelines now require phishing-resistant authentication at the highest assurance levels, and many cyber insurers are beginning to ask about MFA strength during policy underwriting. Our managed IT services team can help you evaluate which approach fits your environment.
Your MFA Setup May Have a Gap You Don’t Know About
Most small businesses are running standard MFA and assuming it’s enough. If your team is using SMS codes or push notifications, there’s a specific attack path it doesn’t cover. Contact Z-JAK Technologies for a security review that looks at your full authentication posture, not just whether MFA is switched on.