Explanation of the NPTA Microsoft 365 Session Hijack Incident

 

The Incident: How it happened

NPTA recently experienced a security incident in which an attacker gained unauthorised access to a single Microsoft 365 mailbox and used it to send a number of malicious emails containing harmful attachments. The root cause of this breach was determined to be a session hijack. A session hijack occurs when an attacker steals or intercepts a user’s authenticated session—essentially allowing them to “become” the user without needing their password. Although session hijacking can occur through several different mechanisms, it is often extremely difficult to identify the exact method used after the fact. In this case, while user behaviour or environmental factors may have contributed, the precise technique used by the attacker cannot be conclusively determined.

There are several common ways a session hijack against Microsoft 365 can occur. One example is token theft via malware, where a user’s device becomes infected with malware capable of copying browser cookies or authentication tokens, enabling the attacker to bypass MFA and log in undetected. Another method is man‑in‑the‑middle interception, often performed over insecure or public Wi‑Fi, where an attacker captures session traffic and extracts tokens or credentials. Credential‑phishing combined with token capture is another frequent technique, where the victim is tricked into visiting a malicious site that silently collects both login information and the authentication token issued by Microsoft 365. Attackers may also perform browser exploitation, using vulnerabilities in outdated browsers or plugins to extract session cookies directly from memory.

 

The NPTA taking measures to prevent such incidents in future

To reduce the risk of similar incidents, organisations can adopt several security measures to strengthen their Microsoft 365 environment. Enforcing Conditional Access policies—such as blocking risky sign‑ins, requiring compliant devices, or enforcing MFA on every new session—greatly limits the usefulness of a stolen token. Implementing Continuous Access Evaluation (CAE) reduces the lifespan of hijacked sessions by automatically invalidating tokens when anomalies are detected. Additional controls, such as Defender for Cloud Apps session monitoring, provide visibility into suspicious activity and can automatically restrict or terminate abnormal sessions. Organisations should also ensure that device security baselines, including patching, antivirus protection and browser hardening, are consistently applied so that attackers cannot easily extract tokens from endpoints. Regular auditing of sign‑in logs and alerting for unusual patterns also helps detect hijacked sessions earlier.

Following this incident, NPTA has implemented a series of measures to strengthen its overall security posture. All staff are now undertaking Cyber Security Awareness Training to help reduce risky behaviour, improve recognition of phishing attempts and encourage secure handling of devices and accounts. NPTA has also introduced additional vulnerability assessments to identify weaknesses more proactively, alongside further Microsoft 365 security hardening, including improved access controls, strengthened logging and monitoring, and enhanced threat protection features. These steps are designed to significantly reduce the risk of a similar incident occurring in the future and to support a more resilient and secure digital environment for staff and stakeholders alike.