Most people feel confident once they’ve set a strong password and enabled multi-factor authentication (MFA), and many see it as the gold standard for staying safe online. While that confidence isn’t misplaced, cybercriminals have adapted quickly, and one technique gaining traction is known as a token logging attack, which allows attackers to bypass traditional protections in a way that often goes unnoticed.
It sounds technical, but the idea is actually quite simple, and it’s something that can affect both New Zealand households and small businesses.
How Token Logging Attacks Work (and How They Bypass MFA)
When you log in to an account like your email, banking, or a business platform, you enter your password and complete MFA. After that, the system doesn’t ask you to log in again every time you click around. Instead, it gives your device a kind of “digital pass” called a session token. This token proves that you’ve already authenticated, so you can stay logged in without repeating the process.
A token logging attack targets that “session token”.
Instead of trying to guess your password or break through MFA, attackers trick you into handing over your session token after you’ve already logged in. Once they have it, they can access your account as if they were you, without needing your password or MFA code at all.
Why It Works So Well
In many cases, this starts with a phishing link. You might receive an email or message that looks legitimate, prompting you to log in to a service you use or download a file (Often, the attacker will send a token logger, by using an account that’s already familiar to the user, such as a friend or family member that has already been compromised). The page looks real, and you enter your details as usual, including your MFA code. Behind the scenes, the attacker captures your session token as it’s created. From that point on, they can reuse it to access your account.
This is why token logging attacks can be so effective. They don’t “break” or attempt to “brute force” MFA, they bypass it entirely by stepping in after it’s already been completed.
For Kiwi households, this can lead to compromised email or social media accounts, which attackers may then use to further scam friends and family. For small businesses, the impact can be more serious. If an attacker gains access to a business email account, they can monitor conversations, intercept invoices, or send fraudulent payment requests. Because they’re using a valid session, their activity can look legitimate at first. Just recently Wellington Hutt City Council has exposed the identity and financial information of hundreds of people to hackers – due to a staff member falling victim to a phishing email.
What makes this particularly challenging is that everything can appear normal. You logged in correctly. You used MFA. There were no obvious warning signs except a single moment where something didn’t quite feel right, or a link that looked convincing enough to trust.
How to Protect Yourself
The good news is that there are still effective ways to reduce the risk.
The most important defence is being cautious with login OR download links. If you receive an email asking you to log in, it’s safer to go directly to the website yourself rather than clicking the link. Even small differences in a URL can indicate a fake page. If someone is asking you to download something and it’s outside of their usual behaviour, run it through a download scanner first, like VirusTotal, before opening/executing it. Make sure you also have reputable security software just in case.
For small businesses, awareness is key. Staff should understand that even with MFA in place, phishing attacks are still a real risk. Limiting access to sensitive systems and monitoring unusual account activity can also help reduce the impact if something does go wrong.
Staying One Step Ahead
Token logging attacks are a good reminder that cybersecurity isn’t just about passwords anymore. Attackers are looking for ways around traditional protections, which means staying safe requires both good tools and good habits. Stay one step ahead of the trends with our Cybersmart Newsletter.