What Is a Login Token?
When you sign in to a Microsoft application with your UTMB email and password and complete multi-factor authentication (DUO Mobile), your device receives a small piece of digital data called a login token. Think of it like a temporary keycard: once it's issued, it lets you move freely between Microsoft services (Outlook, Teams, SharePoint, etc.) without having to login each time. When you select options like "Stay signed in" or "Remember this device," you're telling Microsoft to keep that keycard active for a longer period, allowing your apps to silently confirm your identity in the background so you can work without interruption.
Why Stolen Tokens Are Dangerous
While login tokens are convenient, they're also valuable to attackers—precisely because they bypass the usual security checkpoints. If a threat actor steals a valid login token, they can access your account as if they were you, without ever needing your password or MFA approval. From there, they could:
- Read and send emails from your account, potentially targeting coworkers or external contacts with convincing phishing messages
- Access sensitive files in SharePoint, OneDrive, or Teams channels
- Exfiltrate data such as patient information, internal documents, or financial records
- Establish persistence by modifying account settings, creating mail-forwarding rules, or registering new devices—making it harder to detect and remove them
Because the attacker is using a legitimate token, this activity can look like normal, authorized use, making it especially difficult to detect.
How Token Theft Can Happen
Attackers may attempt to steal login tokens through:
- Malicious browser extensions (see our previous Security Corner post!)
- Phishing attacks designed to capture login credentials or session data
- Shared or unmanaged devices, such as personal or public computers where tokens may be stored insecurely
- Malware installed on a device that harvests stored tokens
What's Changing and How It Affects You
Starting at the end of May, we are shortening how long login tokens remain active. A shorter token lifetime means that even if one is stolen, the window in which an attacker can use it is significantly reduced. What this means for you in practice: you may be prompted to enter your username and password, or complete MFA (DUO Mobile) requests more frequently when accessing Microsoft services. We know that adds a small amount of friction to your day, but it meaningfully strengthens the security of your account and our organization. If something doesn't look right, don't hesitate—report it to cirt@utmb.edu.