Session Hijacking Attacks: Storm Infostealer and EvilTokens Bypass 2FA

The cybersecurity landscape has reached a precarious inflection point in April 2026. As organizations continue to fortify their perimeters with Multi-Factor Authentication (MFA) and robust password policies, threat actors have pivoted their focus from breaking the door down to stealing the keys already in the victim’s pocket. Recent reports highlight a sophisticated, dual-pronged offensive: the emergence of the “Storm” infostealer and the “EvilTokens” phishing-as-a-service (PhaaS) platform. Together, these tools are rendering traditional 2FA mechanisms dangerously insufficient by prioritizing session hijacking as the primary vector for account takeover.

The Evolution of Account Takeover: Beyond the Password

For years, industry security standards focused heavily on preventing credential theft. Phishing campaigns were designed to trick users into entering usernames and passwords into fraudulent portals. However, as MFA became ubiquitous, these campaigns faced a significant hurdle: capturing the second factor. Today, the strategy has shifted entirely. Instead of attempting to capture credentials during the login process, attackers are now targeting the authenticated session itself.

Session hijacking represents a paradigm shift because it operates in the post-authentication environment. When a user completes a successful login—providing both a password and a 2FA token—the web server issues a session token (often stored in a cookie). This token serves as a persistent, temporary identifier that tells the server, “This user has already proven who they are; do not ask them again.” By exfiltrating these active tokens, attackers can effectively skip the login and MFA hurdles entirely, assuming the digital identity of the victim without ever needing to know their password or intercept their secondary authentication codes.

The “Storm” Infostealer: Remote Decryption Tactics

The “Storm” infostealer, identified by researchers in early April 2026, marks a significant escalation in malware sophistication. Unlike traditional infostealers that attempt to decrypt browser-stored data locally on the victim’s machine, Storm adopts a stealthier approach to evade Endpoint Detection and Response (EDR) tools.

• Off-Device Decryption: Instead of performing decryption locally—a process that often triggers security alerts—Storm exfiltrates the encrypted browser files and session data directly to attacker-controlled servers.
• Bypassing Local Protection: By shifting the decryption process off-device, Storm successfully circumvents local SQLite decryption mechanisms and avoids common behavioral triggers associated with credential harvesting.
• Stealthy Persistence: Once the session tokens are decrypted and restored on the attacker’s machine, they can maintain persistent access to the victim’s accounts, allowing for long-term intelligence gathering and lateral movement within corporate environments.

“EvilTokens” and the Rise of Phishing-as-a-Service

Complementing the stealth of Storm is the “EvilTokens” platform, a turnkey PhaaS kit that has weaponized the OAuth device code flow. First observed in mid-February 2026, EvilTokens demonstrates how readily-available tools allow even low-skill attackers to conduct highly effective, large-scale campaigns.

The brilliance—and danger—of the EvilTokens campaign lies in its abuse of a legitimate authentication workflow. The attack flow is engineered to deceive the user into facilitating their own compromise:

1. The Lure: Users receive phishing lures (often via email or document attachments) impersonating trusted services such as DocuSign, SharePoint, or Adobe Acrobat.
2. The Device Code Trap: The phishing site displays a legitimate, short-lived device code and prompts the user to “verify their identity” on the official Microsoft login page.
3. Legitimate Authorization: When the victim enters the code on the real Microsoft portal and completes their standard 2FA challenge, they are unknowingly authorizing the attacker’s device, not their own.
4. Token Acquisition: The attacker receives valid access and refresh tokens, granting them immediate and sustained access to the target’s Microsoft 365 services, including email, files, and Teams history.

Because the authentication process takes place on the official, legitimate login domain, many traditional phishing detection controls—which rely on blocking malicious URLs or identifying fake login pages—fail to intercept the request.

The Urgency of Phishing-Resistant Authentication

The effectiveness of Storm and EvilTokens proves that traditional 2FA, while better than nothing, is no longer a complete solution. SMS codes, push notifications, and even app-based OTPs are all susceptible to session hijacking because they are tied to the initial login event, not the session itself. To effectively combat these threats, security professionals are advocating for a transition toward truly phishing-resistant authentication methods.

FIDO2 and Passkeys: The Path Forward

FIDO2-compliant hardware tokens and passkeys offer a robust defense against these sophisticated hijacking tactics. Unlike passwords or OTPs, which can be intercepted or relayed, FIDO2 authentication is cryptographically bound to the specific origin (the domain) of the login attempt.

The primary advantages of adopting these standards include:

• Origin Binding: Because the authentication process is bound to the domain, a phished login attempt on a fraudulent site will fail to satisfy the cryptographic handshake required by the hardware device.
• Elimination of Shared Secrets: There are no “tokens” or “codes” that can be exfiltrated via malware like Storm. The private key remains securely stored on the user’s device or hardware key.
• Session Security: By utilizing hardware-backed authentication, organizations can significantly reduce the risk of successful token theft and unauthorized session persistence.

Defensive Strategies for Modern Organizations

Beyond the adoption of phishing-resistant authentication, organizations must implement a multi-layered defense-in-depth strategy to minimize the impact of infostealer campaigns.

1. Strengthen Identity and Access Management (IAM)

Organizations should enforce strict Conditional Access policies. These policies should evaluate session risks in real-time, looking for anomalous login patterns, unusual geographic locations, or unauthorized device configurations. Implementing session-lifetime limits and requiring step-up authentication for sensitive internal resources can mitigate the “dwell time” attackers have once they possess a stolen token.

2. Enhance Endpoint Security and Visibility

Because infostealers like Storm operate by harvesting data from browser processes, endpoints must be managed with robust EDR solutions. However, visibility is key. Security Operations Center (SOC) teams should proactively hunt for signs of session token theft, such as unexpected device registration events or unusual OAuth application authorizations that correlate with the timeline of known phishing campaigns.

3. Security Awareness and Culture

Technical controls will always be challenged by human behavior. Training programs must be updated to reflect the new reality of device code phishing. Users should be instructed never to input device codes or verify identities via links provided in unsolicited communications. A culture of verification, where employees are encouraged to report any request to enter a code or authorize a new device, remains a vital frontline defense.

Conclusion: Adapting to the New Reality

The rise of the “Storm” infostealer and “EvilTokens” serves as a stark reminder that the security landscape is in a constant state of flux. Attackers are no longer just looking for passwords; they are leveraging the trust systems we use to simplify modern workflows to compromise organizations at scale.

For CISOs and security leaders, the message is clear: Session hijacking is the new frontier of account takeover. Relying on legacy authentication factors that can be circumvented by post-login token theft is no longer an acceptable risk. The industry must accelerate its move toward FIDO2-compliant, phishing-resistant architectures and prioritize identity-centric defense models that assume compromise and demand continuous, cryptographic verification. Only by evolving our defensive posture to match the speed and sophistication of these AI-driven campaigns can we hope to maintain the integrity of our organizational identities.