Can SVG files steal M365 tokens without user login?

0
19
Asked By CuriousUser321 On

Hey folks, I recently had a user who got a scam email with an SVG file attached. On one computer, double-clicking the SVG opened the Co-pilot app, while on another machine, it opened Edge and led to a fake Microsoft login page that stole tokens upon login. I'm not too familiar with the Co-pilot app, and I'm wondering if it's possible for a user's token to be stolen just by opening the SVG file—which redirected to a bad link—in Co-pilot. I know malware on a computer can steal tokens without a login prompt, but can a web link really grab a token if the user doesn't actually log in with their Microsoft credentials or MFA? Thanks!

2 Answers

Answered By TechWhiz99 On

SVGs can indeed be tricky because they can embed JavaScript. In the case you're describing, it sounds like the SVG file redirected to a token harvesting site. Typically, tokens are stolen during authentication where a malicious site poses as the Microsoft login portal. They can pass requests through to Microsoft, which allows them to capture tokens after MFA. So, if the user never goes through that login process, there's likely no token theft. Plus, phishing resistant MFA helps prevent this since it ties authentication to legitimate domains.

SafetyFirst2022 -

Sounds like a classic phishing attempt—tokens can't be stolen just by viewing a webpage if you don’t log in. If you’re already authenticated and click a malicious link, there’s definitely a risk. But if the user didn't type in credentials or do MFA, their token should be safe.

Answered By CyberGuard21 On

There are a few ways tokens can get stolen, mostly involving phishing sites where a user thinks they're logging into Microsoft when they're not. But in your case, if they didn't actually log in, then their token should remain intact. It’s the browser's current session that could be at risk if they clicked the link while logged in. This scenario suggests that the SVG might have executed some script that was checking for users interacting with it.

UserSafety101 -

Exactly! The SVG could have redirected them to another site based on their browser's environment. It’s essential to have proper defenses in place as these methods for stealing tokens evolve.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.