While the simple, lasting authentication provided by SaaS session tokens is unquestionably convenient, it is also unfortunately attractive for adversaries to exploit. In fact, attackers are increasingly foregoing simple credential theft to target session tokens which enable them to bypass MFA and establish discreet, longer term persistence in the SaaS environment.

In this brief, we’ll look more closely at what SaaS session tokens are and the ways in which attackers are able to capture and abuse them:

  • What is a SaaS session token?
  • What are the risks of SaaS token compromise?
  • How do malware and man-in-the-middle attacks capture tokens?
  • How does Obsidian detect SaaS token compromise?