Infostealers Are the Biggest Story in Cybersecurity Right Now. Your MFA Will Not Save You.

Infostealer malware is everywhere right now. It is in Chrome extensions with Google's Featured badge. It is spreading through compromised WhatsApp accounts. It is hiding inside fake AI tools, poisoned GitHub repos, and ClickFix lures that trick users into running Terminal commands. Microsoft just called it a threat that is "rapidly expanding beyond traditional Windows-focused campaigns." Flare analyzed 18.7 million infostealer logs from 2025 and found 2.05 million contained enterprise identity credentials. And it is accelerating.

I need to tell you something that most security vendors will not say out loud because it is bad for business. Your multi factor authentication is not protecting you from any of this. Not anymore.

Attackers are not trying to break your MFA. They do not need to. They are waiting for you to complete it yourself, and then they steal what comes after. The target is not the login. The target is the session.

There are two main paths to the same outcome:

• Adversary in the Middle phishing captures the session in transit.
• Infostealer malware steals the session off the endpoint after the fact.

Different entry, same result: a fully authenticated attacker walking around as you.

The Shift from Credentials to Sessions

In the first half of 2025, reporting tied to infostealer activity put the number of stolen credentials at 1.8 billion, described as an 800 percent increase over the prior year.

But what makes 2026 different is not the volume. It is what they are stealing.

Flare's 2026 State of Enterprise Infostealer Exposure report lays it out clearly. Their team analyzed 18.7 million infostealer logs from 2025. More than 2.05 million of those logs contained enterprise SSO or identity provider credentials. Microsoft Entra ID appeared in 79 percent of enterprise identity logs, making it the most targeted identity provider by a wide margin. And 1.17 million logs contained both enterprise credentials and active session cookies, giving attackers everything they need to bypass MFA entirely.

Here is the number that should keep you up at night: despite a 20 percent year-over-year decline in total infostealer infections, enterprise identity exposure kept climbing. Fewer infections, but each one hitting harder. Flare projects that by Q3 2026, one in five infostealer infections could yield enterprise credentials. The attackers are getting more targeted, not less.

Modern infostealers are not just grabbing usernames and passwords. They are harvesting session tokens, authentication cookies, refresh artifacts, and browser state data. The artifacts that exist after MFA has already been satisfied.

When you log into Microsoft Entra ID, your browser receives tokens that let you keep making requests without re-authenticating. If an attacker steals that session material, they do not need your password. They do not need to intercept your MFA push. They present a valid session and every system treats them as you.

This is MITRE ATT&CK technique T1539 (Steal Web Session Cookie) feeding into T1550.001 (Use Alternate Authentication Material: Application Access Token). It is not new. What is new is the scale and the tooling.

Path One: AiTM Phishing Captures the Session in Transit

Let me walk through the mechanics because understanding the attack chain matters more than understanding the marketing name.

Adversary in the Middle phishing uses reverse proxy frameworks, most commonly Evilginx2, to position the attacker between the victim and the legitimate identity provider. The victim sees a real Microsoft login page. They enter their password. They approve the MFA prompt. Everything looks normal.

But every request is flowing through the attacker's proxy. When Entra ID issues the session artifacts after successful MFA, the proxy captures them in transit.

Here is what this often looks like in sign-in telemetry:

Authentication Details: MFA requirement satisfied by claim in the token
Authentication Requirement: singleFactorAuthentication (because MFA was already "satisfied")
User Agent: Normal for the user
IP Address: VPS or hosting provider, not your corporate egress or VPN
Location: Differs from the user's established pattern
Timing: Off hours or unusually fast follow-on access to sensitive apps

The critical indicator is MFA satisfied by claim in the token rather than a fresh interactive challenge. That means the session was established using previously captured material, not through a new MFA event. Most security teams do not monitor for this distinction.

One important nuance: Microsoft notes that "satisfied by claim in the token" can appear in early sign-in records before full aggregation is complete, so treat it as a signal that needs corroboration, not a verdict by itself.

Path Two: Infostealers Steal the Session Off the Endpoint

AiTM gets the headlines because it feels slick. Infostealers are what makes this problem explode in volume. Same outcome, different path.

AiTM captures the session in transit. Infostealers capture it after the fact, directly from the browser and the operating system.

That difference matters because you can have perfect MFA, no obvious phishing click, and still lose a fully authenticated session when a user runs the wrong installer, approves the wrong prompt, or installs the wrong extension.

How Infostealers Actually Land

Infostealers do not need exotic exploit chains. They live on distribution and user behavior.

Common entry paths we see over and over:

• Fake AI tools and fake productivity apps
• Cracked software, keygens, and "free" utilities
• SEO poisoned downloads and lookalike domains
• ClickFix style lures that push users into running Terminal or PowerShell commands
• Poisoned GitHub repos and copy-paste install instructions
• Browser extensions that claim to enhance AI, meeting notes, translation, or productivity
• Compromised messaging accounts used to propagate malware to trusted contacts

That last one is newer. Microsoft Defender Experts documented attackers compromising WhatsApp accounts and using them to distribute Eternidade Stealer through multi-stage infection chains with worm-like propagation. The malware spreads through the victim's contacts, which means it arrives from someone the target trusts. That is a distribution vector most organizations are not watching for.

Since late 2025, Microsoft has also been tracking macOS targeted infostealer campaigns using social engineering, including ClickFix style prompts and malicious DMG installers, delivering DigitStealer, MacSync, and Atomic macOS Stealer (AMOS). These campaigns use fileless execution, native macOS utilities, and AppleScript automation to harvest credentials, session data, and developer secrets. If you thought infostealers were a Windows problem, they are not anymore. Microsoft's own assessment is that these threats are "rapidly expanding beyond traditional Windows-focused campaigns."

What They Steal After MFA Is Done

Modern infostealers are not "password stealers." They are session stealers that happen to collect passwords too.

High value artifacts include:

• Browser cookies and session tokens for Microsoft 365, Google Workspace, Okta, Slack, Salesforce, GitHub
• Browser LocalStorage and SessionStorage where modern apps persist auth state
• Saved passwords and autofill data
• Refresh artifacts that enable token refresh and long lived access
• API keys, private keys, SSH keys, developer tokens
• Anything that matches keywords like token, key, secret, auth, session, private

This is why MFA does not save you. MFA happens at login. Infostealers loot the aftermath.

What It Looks Like in Real Telemetry

Infostealers leave repeatable patterns:

• Non-browser processes reading browser databases like Cookies, Login Data, Web Data, Local State
• Short bursts of file access across many user profile locations, followed by archive creation
• Outbound traffic from unusual processes to fresh domains or disposable infrastructure
• Then cloud activity that looks like the user, because it is using the user's session

The workstation event is the spark. The cloud session theft is the fire.

Response Reality: Assume Session Exposure

When you confirm an infostealer infection, treat it as more than malware cleanup. If you stop at reimaging the box, you have done almost nothing.

Minimum actions that actually reduce risk:

• Revoke active sessions for the user at the identity provider
• Reset the password and require re-registration of MFA where policy allows
• Rotate API keys and developer tokens accessible from that endpoint
• Review OAuth app consents and newly authorized apps for that user
• Check mailbox rules, forwarding, and suspicious sign-ins for persistence
• Hunt for the same infostealer indicators across the fleet, not just the one box that got caught

What the IOCs Look Like in the Wild

We track several categories of indicators when hunting for session theft. Here is what to look for in your own environment.

Authentication Anomalies

Impossible travel. User authenticates from Chicago at 9:00 AM EST, then from Amsterdam at 9:12 AM EST. Calculate the distance and time. If the geographic displacement is physically impossible, the second session is using stolen session material.

Concurrent sessions from divergent sources. Same user accessing the same apps from two different IPs or two different user agents within minutes. Legitimate users do not do that without a story you can verify.

Token use that does not match the issuance context. A refresh pattern, device context, or access pattern that does not match the original sign-in footprint.

Off hours sign-ins from new infrastructure. A user who has never authenticated from hosting provider space suddenly shows sign-ins from AWS, Azure, or DigitalOcean ranges at 3 AM. Attackers operate from VPS infrastructure because it is disposable.

Network and Endpoint Indicators

Known reverse proxy infrastructure. Evilginx deployments leave fingerprints. Look for TLS certificates issued to domains that closely mimic your organization's login portal. Certificate transparency logs are your friend here. Monitor for newly registered domains containing your brand name combined with terms like "login," "auth," "sso," or "portal."

Infostealer communication patterns. Current AMOS variants communicate with domains following patterns like chatsaigpt[.]com and deepaichats[.]com. Lumma Stealer uses rotating C2 infrastructure but often resolves through Cloudflare or bulletproof hosting. Watch for sudden DNS churn and outbound POST traffic from endpoints that do not usually generate it, especially from browser-adjacent processes.

Browser extension telemetry. Malicious extensions exfiltrate data on a timer. The recently discovered fake AI assistant extensions were sending stolen content every 30 minutes. The AiFrame campaign identified by LayerX used 32 extensions all communicating with infrastructure under tapnetic[.]pro. Look for periodic outbound POST requests from browser processes to unfamiliar domains, particularly those carrying base64 encoded payloads.

Specific TTPs to Hunt For

The Scale of the Current Threat

Let me put some numbers on this so you understand why I am writing about it today.

2.05 million infostealer logs contained enterprise identity credentials in 2025 alone, according to Flare's analysis of 18.7 million logs. 1.17 million of those included active session cookies alongside the credentials. That is not theoretical risk. That is MFA bypass material sitting in attacker hands, ready to use.

149 million credentials were exposed in an unsecured database discovered by researcher Jeremiah Fowler, including 48 million Gmail accounts and 17 million Facebook accounts, among other services. The database was actively growing while researchers investigated. The malware campaigns feeding it were still running.

Over 900,000 users installed two Chrome extensions disguised as AI assistants that OX Security researchers found were exfiltrating ChatGPT and DeepSeek conversations alongside browsing data on a 30 minute interval. One of the extensions carried Google's "Featured" badge. They were still on the Chrome Web Store when the findings were published.

30+ Chrome extensions impersonating Claude, ChatGPT, Gemini, and Grok were identified by LayerX in mid-February 2026 as part of a coordinated campaign called AiFrame. Over 260,000 users installed them. All 32 extensions shared the same codebase and communicated with tapnetic[.]pro infrastructure. A subset of 15 could read and extract email content directly from the Gmail interface.

7 million users of Urban VPN Proxy across Chrome and Edge discovered that a July 2025 update had quietly begun intercepting their conversations with eight AI platforms, including ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI. The data was sent to a data broker. The extension had a 4.7 star rating and Google's Featured badge.

AMOS infostealer has expanded beyond traditional distribution into fake AI tool installers, poisoned GitHub repositories, and ClickFix style attacks targeting macOS users. Microsoft Defender Experts documented these campaigns using social engineering, ClickFix style prompts, and malicious installers delivering DigitStealer, MacSync, and AMOS. Microsoft described this as infostealers "rapidly expanding beyond traditional Windows-focused campaigns."

Infostealers are now vacuuming up secrets from AI agent tooling. BleepingComputer reported infostealer activity targeting OpenClaw related files containing API keys and authentication tokens. Hudson Rock identified the malware as a likely Vidar variant. It does not specifically target AI agents. It runs broad file scanning routines looking for keywords like "token" and "private key." But as AI agents proliferate, their configuration directories become high value targets caught in the sweep.

The common thread across all of these is that they render MFA irrelevant by attacking the session layer rather than the authentication layer.

Detection Strategies That Actually Work

If you are serious about catching these attacks, here is where to focus your detection engineering.

Monitor the Identity Layer, Not Just the Endpoint

Your EDR watches processes on workstations. But an attacker replaying stolen Entra session material operates entirely in the cloud. There is no malicious process on any endpoint. There is no file to scan. The attack is a legitimate looking API call using a legitimate token.

You need to analyze authentication events at the identity provider level. Pull Entra sign-in logs, Okta system logs, Google Workspace login audit. Correlate across:

• Source IP and geolocation per sign-in
• User agent consistency across access patterns
• Authentication details that show "claim in the token" behavior
• Time between sign-ins from different locations
• Device compliance state at time of access
• Conditional access outcomes and risk signals

Build Behavioral Baselines

Static rules will not catch these attacks because stolen sessions look identical to legitimate sessions. You need behavioral context.

For each user, establish what normal looks like. Typical working hours, typical locations, typical devices, typical access patterns. Then alert on deviations. Not on individual signals but on combinations.

A new IP by itself is noise. A new IP, off hours, "claim in the token" behavior, and access to sensitive resources the user does not normally touch? That is a hunt lead worth burning time on.

Reduce Session Value and Lifetime

If your identity provider supports Continuous Access Evaluation (CAE), enable it. CAE can reduce the usable lifetime of stolen tokens when risk or access conditions change.

Configure conditional access policies to:

• Require compliant or hybrid joined devices for sensitive apps
• Restrict session duration and sign-in frequency for high risk applications
• Block sign-ins from known hosting provider ranges where practical
• Require step up authentication for high risk sign-ins and sensitive actions

These controls do not eliminate the threat. They shrink the window where a stolen session is useful.

Get Serious About Browser Extensions

Most organizations have zero visibility into what browser extensions are installed across their fleet. This is a problem because malicious extensions now operate as fully functional infostealers with access to everything the browser can see.

The AiFrame campaign proved that attackers can maintain 32 extensions with shared infrastructure and have them sit in the Chrome Web Store collecting data from hundreds of thousands of users. Urban VPN Proxy showed that even a legitimate extension with millions of users and Google's Featured badge can silently pivot to data collection with a single update. And the OX Security findings demonstrated that Google's own vetting process, including the Featured badge, does not catch malicious behavior.

Audit what is installed. Establish an allow list. Monitor for new installations and extension updates. Block extensions that request permissions to read page content, access cookies, or communicate with external servers unless there is a documented business justification.

Watch for AI Tool Targeting

This is the emerging front. Infostealers are now harvesting data from AI platforms and AI agent configurations, not because attackers built custom modules for it, but because broad file scanning routines are catching AI secrets in the sweep.

Monitor for unusual access to AI agent configuration directories. Review what secrets and tokens are stored locally by AI tooling on your endpoints. If your developers are running AI agents with access to cloud services, those configuration files are now part of your attack surface.

Hunting Queries to Start With Today

Entra ID Sign-In Logs (Sentinel)

This looks for successful sign-ins in the last 24 hours where the details indicate a "claim in the token" pattern, and the IP is new for that user compared to the prior 30 days.

let lookback = 24h;
let baseline = 30d;
let tokenClaimPhrase = "claim in the token";
let BaselineIPs =
    SigninLogs
    | where TimeGenerated between (ago(baseline) .. ago(lookback))
    | where ResultType == 0
    | summarize by UserPrincipalName, IPAddress;

SigninLogs
| where TimeGenerated > ago(lookback)
| where ResultType == 0
| extend AuthDetails = todynamic(AuthenticationDetails)
| extend AdditionalDetails = tostring(Status.additionalDetails)
| where AdditionalDetails has tokenClaimPhrase
    or tostring(AuthDetails) has tokenClaimPhrase
| join kind=leftanti BaselineIPs on UserPrincipalName, IPAddress
| project TimeGenerated, UserPrincipalName, IPAddress,
          AppDisplayName, ConditionalAccessStatus,
          AuthenticationRequirement, AdditionalDetails, UserAgent
| order by TimeGenerated desc

Treat this as a starting pattern. Tune it to your tenant, your VPN, your office egress, and the reality that sign-in log fields vary.

Defender for Endpoint Advanced Hunting (Infostealer Behavior)

This catches a common infostealer move: a non-browser process touching browser credential and cookie stores.

DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (
    @"\AppData\Local\Google\Chrome\User Data",
    @"\AppData\Local\Microsoft\Edge\User Data",
    @"\AppData\Local\BraveSoftware\Brave-Browser\User Data"
)
| where FileName in~ ("Cookies", "Login Data", "Web Data", "Local State")
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "brave.exe")
| project Timestamp, DeviceName, AccountName,
          FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

Neither of these is a finished detection. They are starting points for your threat hunting team. Tune them to your environment and correlate with what you know about your infrastructure. The results will tell you where to dig.

The Uncomfortable Truth

The security industry spent twenty years building walls around credentials. Passwords, then MFA, then passwordless. Each iteration made the front door harder to break through.

So attackers stopped trying to break through the front door. They wait for you to open it, walk through behind you, and steal the key out of your pocket.

Session tokens are the new perimeter. If you are not monitoring authentication at the identity layer, correlating session behavior across your environment, and hunting for the TTPs I outlined above, you have a blind spot that attackers are actively exploiting at industrial scale.

I have been doing this since 2007. I have watched every evolution of this threat landscape. And I am telling you that identity based attacks are the defining challenge of this moment. Not because they are the most sophisticated. But because they exploit the gap between what organizations think their security tools cover and what those tools actually see.

Start hunting in your authentication logs. The indicators are there. You just have to look for them.

---

James McMurry is the CEO and Founder of ThreatHunter.ai, a Service Disabled Veteran Owned Small Business providing 24/7 threat hunting services since 2007. For questions about identity threat detection or the techniques discussed in this post, reach out at info@threathunter.ai or visit threathunter.ai.