USE CASE: SESSION HIJACKING PREVENTION

Stop Session Hijacking
at the Earliest Point of Exposure

Infostealer malware and phishing campaigns silently steal web session cookies and refresh tokens that can bypass MFA, passkeys, and passwordless authentication. SpyCloud detects stolen session cookies and tokens tied to your customers and employees – with integrations that terminate active sessions to prevent session hijacking.

So you're moving to passwordless authentication for better identity security? Smart choice. But unfortunately, passwordless doesn't eliminate identity threats. It just changes the attack surface. At SpyCloud, we keep pace with the attack surface as it evolves to give our customers the edge, stopping threats before they escalate to initial access. While attackers are still stealing passwords, they also want the path of least resistance, Post authentication artifacts like cookies and tokens that allow them to gain easy access again and again. Here's how they're doing it. Adversary in the middle phishing kits that intercept entire logging flows in real time. Device code phishing attacks that trick users into authorizing OAuth flows that hand over long lived tokens directly. Info Stealer malware that silently exfiltrates valid session cookies and refresh tokens from infected devices, even devices with enterprise endpoint protection. So while it's necessary to modernize new authentication, new tools, new infrastructure, going passwordless doesn't stop authentication bypass. That's where SpyCloud comes in. SpyCloud delivers identity threat protection in passwordless environments, shutting down these access vectors before criminals can take advantage. SpyCloud recaptures stolen identity data from infostealer infections and successful phishing attacks, so you know when users need their sessions terminated. These are the missing signals you need to resecure infected and phished identities, devices, and applications to strengthen your identity perimeter, whether you've moved beyond passwords or not. Our data lake of over one trillion recaptured assets helps reveal and close the gaps in passwordless authentication continuously, making your security program more mature and your business safer. At the end of the day, no matter what authentication you use, credentials, pass keys, magic links, and beyond, your identity attack surface travels with you. SpyCloud, our data is your best signal.

What criminals don't want you to know...

The next generation of ATO is here, and enterprises not only need to keep up with speed of criminal innovation, but find ways to preemptively prevent it.

Anti-detection tools work

Importing valid authentication cookies + device and browser details into an anti-detect browser perfectly emulates an authenticated session and bypasses all security controls – even passkeys

MFA is not enough

Without an attempted login, criminals aren’t prompted with MFA – they are able to bypass authentication entirely and gain access to accounts without setting off red flags

Cookies = credentials

Criminals value cookies more, than credentials – acting with stealth and speed before the session expires, and using refresh tokens to maintain persistent access

Stop session hijacking before it starts

SpyCloud closes the blind spot left by traditional security tools by revealing when users have been infected or phished, putting cookies and refresh tokens in criminal hands – and helping you shut them down in time.

Prevent MFA bypass

Detect cookies stolen by infostealers and adversary-in-the-middle (AitM) attacks before they’re used for unauthorized session access

Preserve SSO security

Discover when cookies for critical workforce services like SSO are stolen from employees’ infected personal or managed devices

Lock out bad actors

Invalidate session tokens and stop session-based ATO and follow-on ransomware attacks in their tracks

EXPLORE PRODUCTS

Prevent criminals from abusing employee and customer cookies for illegitimate access

Session Identity Protection

Stop criminals from using stolen session cookies to bypass MFA and impersonate users in their accounts

Endpoint Threat Protection

Correlate session exposure with malware infections and take swift action to reset credentials and revoke tokens

With SpyCloud, we’re protecting our customers as proactively as possible in today’s threat landscape. SpyCloud gives us the speed we need to act fast – before an attacker has the chance to abuse stolen cookies. The impact has been huge for us.

TRUSTED BY HUNDREDS OF GLOBAL INDUSTRY LEADERS

EXPLORE WHO USES SPYCLOUD

Defenders
we help

SpyCloud is the trusted partner for security leaders, practitioners, and service providers across every industry in the global fight to defeat cybercrime.

Fraud PREVENTION

Protect customers and prevent session-based ATO and financial fraud

SECOPS & Incident response

Accelerate phishing and infostealer malware response with alerts based on real session compromise signals

CISOs

Build next-generation ATO prevention into your identity protection plans

Integrations

SpyCloud integrates with identity, fraud, and response tools including Okta, Entra ID, Active Directory, and more – enabling plug-and-play workflows for automated credential and session remediation.

Next steps

The attack surface has changed.
Get ahead of session hijacking attacks that look like legitimate access.

Session Hijacking and MFA Bypass FAQs

How do attackers steal session cookies through both infostealer malware and AitM phishing?

Session cookies are stolen through two distinct attack paths. In the infostealer path, malware silently extracts every session cookie stored in a user’s browser. In the adversary-in-the-middle phishing path, the attacker proxies authentication in real time, lets MFA complete successfully, then intercepts the session cookie before it reaches the user’s browser. In both cases, the attacker holds a valid authenticated session cookie and never touched a password or MFA code. In 2025, SpyCloud recaptured 8.6 billion stolen session cookies from criminal sources.

Why is revoking a stolen session cookie not sufficient and what is a refresh token?

Revoking the session cookie closes access in that moment, but in most environments a second artifact was also stolen: the refresh token. A refresh token is the long-lived credential an identity provider uses to silently issue new session cookies without requiring re-authentication. In enterprise environments, refresh tokens typically remain valid for 90 days. An attacker holding a stolen refresh token can continue minting new session cookies for months, even after the original cookie is revoked and even after the user resets their password.

Does deploying passkeys or passwordless authentication eliminate session hijacking risk?

No. After any authentication event succeeds, including via passkey or hardware key, the application still issues a session cookie and in OAuth and OIDC environments a refresh token. AitM phishing attacks proxy the authentication event, let it complete normally, and intercept the session cookie and refresh token on the way out. The user authenticated successfully with their passkey. The attacker holds the result of that authentication. Passwordless environments have the same session-layer exposure as password-based ones.

What is SpyCloud's three-layer remediation process when a stolen session is detected?

SpyCloud works through three layers in priority order. First, refresh token revocation: SpyCloud signals the identity provider to revoke the refresh token immediately since it survives password resets and can be valid for up to 90 days. Second, IdP SSO session termination: for Okta, Entra ID, or Ping Identity environments, SpyCloud terminates the IdP-level session which cascades to every downstream application in the SSO instance. Third, application-level session cookie invalidation: individual application sessions are cut off through forced re-authentication.

How does SpyCloud detect stolen session artifacts faster than behavioral monitoring tools?

Behavioral monitoring tools operate on signals after authentication has already succeeded. SpyCloud operates upstream by recapturing stolen session cookies, refresh tokens, and authentication artifacts directly from criminal sources including infostealer malware logs, AitM phishing operation output, and underground markets. This data typically arrives within hours of the original theft. For enterprise deployments, SpyCloud integrates with Okta Workforce Guardian and Active Directory Guardian to trigger automated session termination as soon as a match is detected.