An IT manager at a mid-sized logistics firm receives an alert: an admin account has been deleting files for the past two hours. The account shows no failed logins. MFA was never triggered. The attacker did not break in — they walked in using a stolen session token extracted from a compromised laptop.
This scenario is becoming increasingly common. Attackers no longer need to crack passwords or defeat authentication systems. They wait for a user to log in successfully, then steal the resulting session token. From that point forward, they operate as a legitimate user — invisible to most security tools.
The implication for IT and security teams is uncomfortable but important: no authentication control, however strong, is a guaranteed defence. The question is not whether attackers might get in. The question is whether your organisation can recover when they do.
Key Takeaways
• Stolen session tokens allow attackers to bypass MFA completely — no password needed.
• Once inside a legitimate session, attackers can delete, modify, or exfiltrate data before detection.
• Immutable backup with tested recovery procedures is the most reliable last line of defense.
Why does session token theft bypass MFA?
When a user logs in and completes MFA, the system issues a session token — a digital confirmation that the authentication already happened. This token is stored locally, often in the browser. It is what keeps a user logged in without requiring them to re-authenticate every few minutes.
Attackers who compromise an endpoint can extract these tokens using infostealer malware or malicious browser extensions. Once they have the token, they can replay the session from a different device entirely. The target system sees a valid, authenticated session — because that is exactly what it is.
According to Cloudflare, its network now detects approximately 230 billion cyber threats every day, with a growing share targeting identity infrastructure rather than traditional perimeter defences. Session hijacking is increasingly part of that picture.
The scale of the problem is confirmed by the ENISA Threat Landscape 2025, which analysed nearly 4,900 incidents across Europe between July 2024 and June 2025. The report identifies info-stealers — the primary tool for session token theft — as a consistent and prevalent threat, explicitly linking them to credential theft, session hijacking, and access brokering. Phishing, the most common delivery method for these tools, accounted for 60% of observed initial intrusions in the same period.
The attack surface is wider than many organisations realise. Phishing emails, malicious extensions, and endpoint-based infostealers all serve as entry points. Organisations looking to reduce this risk often start by protecting the devices where tokens are stored — for example through endpoint backup and recovery.
What happens once attackers have legitimate access?
Operating inside a valid session, attackers are largely invisible to authentication-based controls. Security tooling may flag anomalous behaviour eventually — but by that time, significant damage can already be done.
Typical actions from compromised admin sessions include:
• Deleting files or entire directories
• Modifying or corrupting critical data
• Disabling backup or monitoring services
• Exfiltrating sensitive information before triggering any alert
What makes this particularly damaging is the time window. Organisations often discover identity-based breaches days or weeks after the fact. By then, the attacker may have worked through the environment methodically, targeting backup systems specifically to reduce recovery options.
Does backup still matter if the attacker has admin rights?
Yes — but only if the backup environment is properly isolated. Backup systems that share authentication with production systems can be reached and disabled by an attacker operating with admin credentials. This is a design flaw that many organisations do not discover until an incident occurs.
Effective backup strategies for this threat model include:
1. Immutable backup storage — data that cannot be modified or deleted by any account, including administrators, for a defined retention period.
2. Isolated backup authentication — separate credentials and access paths for backup systems, not shared with production identity providers.
3. Air-gapped or off-site copies — at least one backup copy stored in an environment inaccessible from the main network.
4. Automated integrity monitoring — regular verification that backup data has not been tampered with.
5. Tested recovery procedures — regular restore drills with documented recovery time objectives.
Organisations reviewing their overall resilience posture often evaluate disaster recovery strategies that cover not just ransomware but also identity-based incidents and insider threats.
Does faster recovery actually reduce business impact?
Recovery speed is the primary factor that separates a manageable incident from an operational crisis. When critical systems are unavailable, every hour of downtime carries direct costs — halted operations, delayed customer service, regulatory exposure.
Organisations that define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) in advance can restore operations far faster than those reacting without a plan. The difference often comes down to whether backup data is immediately accessible and whether the restore process has been practiced.
For sectors such as healthcare, finance, and critical infrastructure, recovery speed is not just an operational priority — it is a legal one. NIS2 regulations set explicit expectations for incident response and recovery capability. Organisations that cannot demonstrate resilience risk both operational disruption and regulatory consequences.
What do NIS2 and ENISA expect from backup strategies?
The NIS2 Directive requires organisations in essential and important sectors to implement risk management measures that explicitly include backup management and business continuity planning. Demonstrating recovery capability — not just prevention — is a core compliance requirement.
ENISA's guidance on cyber crisis management further emphasises that organisations should assume incidents will occur and prepare recovery capabilities accordingly. This aligns directly with what identity-based attack scenarios demand: a resilient backup environment that operates independently of potentially compromised identity systems.
In practice, this means documenting recovery procedures, defining RTOs and RPOs per system category, and testing restore processes at regular intervals — not just once during initial setup. For most organisations, Backup as a Service with immutability and independent authentication provides the structural foundation these requirements demand.
Conclusion
Session token theft demonstrates that even well-implemented authentication controls can be circumvented. When attackers operate inside valid sessions, prevention loses much of its effect.
The organisations that manage these incidents effectively are not those that prevented every intrusion — they are those that detected damage quickly and restored systems before business impact became critical.
Reliable backup, proper isolation, and tested recovery procedures are no longer optional additions to a security strategy. When identity security fails, they are the only thing left that works.
Frequently asked questions
Can stolen session tokens really bypass MFA? +
Yes. A session token represents a completed authentication event. When an attacker steals a token from a compromised device, they inherit that authenticated state and can access systems without triggering MFA. The login step has already happened — from the system's perspective, the attacker is the legitimate user.
How do attackers get hold of session tokens? +
Most token theft begins on compromised endpoints. Infostealer malware installed via phishing or malicious browser extensions can extract authentication tokens stored in browsers or applications. The tokens are then exfiltrated and reused from a remote location. This is why endpoint protection and controlled device environments are part of a broader identity security strategy.
Why does backup matter specifically in identity-based attacks? +
Because attackers with admin-level access can delete, modify, or encrypt data before detection occurs. In those situations, backup is the only reliable recovery path. For backup to remain useful in this scenario, it must be stored immutably and with independent authentication — otherwise the attacker can simply disable or erase the backup environment as well.