6 Simple Steps to Enhance Your Email Security

MFA is a strong front-door lock. But it’s not the only thing that decides whether someone can get in. After you sign in, your browser keeps you logged in using a session token (often stored as a cookie). It’s the digital version of a wristband at an event: once you’ve been checked, the wristband proves you belong there. If an attacker steals that wristband, they may not need to beat your MFA prompt at all. That’s the core of session cookie hijacking. The attacker isn’t “cracking” MFA. They’re skipping it by replaying your already authenticated session. This isn’t a reason to stop using MFA. It’s a reason to stop treating MFA as the finish line. When sessions can be stolen, the practical defence shifts to layered controls: phishing-resistant sign-ins, device hygiene, tighter session policies, and detection that catches suspicious access early. Why MFA Isn’t a “Game Over” Control MFA is still one of the best upgrades most businesses can make, but it doesn’t end an attack on its own. The reason is that attackers don’t always try to beat the login step. They try to go around it. Cloudflare notes that “attackers are finding new ways to circumvent MFA” and that modern incidents are rarely one isolated technique. They’re “part of a chain of attacks.” In other words, MFA can block a lot of credential theft, but it doesn’t automatically protect what happens after a user successfully signs in. That’s where session cookie hijacking comes in. Microsoft has described adversary-in-the-middle phishing campaigns where attackers use a reverse-proxy site to “steal and intercept” a user’s password and the session cookie that proves they have an authenticated session. This is “not a vulnerability in MFA.” The attacker isn’t breaking the MFA. They’re reusing the session. What a Session Cookie Is and Why Attackers Want It When you sign into a web app, the site needs a way to remember that you’ve already proved who you are. That’s what a session is: a temporary “logged-in” state that saves you from entering your password and MFA code on every click. Kaspersky explains that session hijacking is “sometimes called cookie hijacking” because cookies are commonly used to store the session identifier that keeps you authenticated. Attackers want that session identifier because it’s the shortcut. Proofpoint describes session tokens as digital “keys” that let a user stay authenticated. It warns that stealing valid tokens lets attackers impersonate legitimate users and potentially bypass authentication measures “like MFA.” That’s why session cookie hijacking is so highly leveraged. If an attacker can steal the cookie or token that represents your active session, they’re not trying to defeat the login process. They’re attempting to reuse what you already completed, and access the same apps and data as if they were sitting at your keyboard. How Session Cookie Hijacking Actually Happens A lot of teams picture “account takeover” as someone guessing a password or tricking a user into approving an MFA prompt. Session cookie hijacking is different. The attacker’s goal is to steal the proof that you’re already logged in, then reuse it, often without triggering another sign-in challenge. 1.) AiTM phishing Adversary-in-the-middle (AiTM) phishing is the “proxy login” trap. You think you’re signing into a normal service, but you’re actually signing into a lookalike page that sits between you and the real site. The attacker relays the login in real time, so everything appears to work, including MFA. Attackers use AiTM phishing sites to “steal and intercept” a user’s password and the session cookie that proves the authenticated session. This is “not a vulnerability in MFA.” The attacker isn’t breaking the MFA. They’re capturing the session after MFA is completed and reusing it. One such campaign “ attempted to target more than 10,000 organisations ” since September 2021, which shows how scalable this approach has become. 2.) Browser-in-the-Middle session stealing Browser-in-the-middle (BitM) is similar in spirit, but it’s even more “hands-on” from the attacker’s side. Instead of stealing a password and running away, the attacker effectively places themselves in control of the browsing session. Google’s threat intelligence says, “Stealing this session token is the equivalent of stealing the authenticated session.” Once the token is stolen, “an adversary would no longer need to perform the MFA challenge.” In other words, the attacker isn’t trying to authenticate instead of you. They’re trying to ride along after you’ve authenticated. 3.) Cookie theft from the endpoint Not every session hijack starts with a fancy proxy. Sometimes the attacker simply steals session data from the device itself. Stealing valid session tokens allows attackers to impersonate legitimate users. Tokens act like digital “keys.” If an endpoint is compromised, those “keys” can be extracted and reused. Invicti explains that an attacker steals HTTP cookies and can gain access. The goal is often to obtain sensitive information stored in cookies. MFA Is a Baseline, Not a Finish Line MFA is still essential. It blocks a huge amount of credential theft and makes basic account takeover harder. But session cookie hijacking is a reminder that attackers don’t always try to defeat the login step. Sometimes they reuse what happens after it. The practical response is layered and realistic. Make phishing harder to pull off, and treat device health as part of identity. Tighten session behaviour for high-risk apps. Watch for suspicious access patterns that suggest a session is being replayed. When those controls work together, MFA stops being a comforting checkbox and becomes what it should be: a strong baseline that’s backed by protections around the session itself.  Contact us today for help protecting your login sessions from hijacking.

In the traditional office, a “Clean Desk” policy was a simple habit: shred the sensitive stuff, lock it away, and don’t leave passwords where someone can see them. In 2026, the same idea still matters but the “desk” has changed. For many teams, the home office is now the default workspace, and that means physical access can quickly become digital access. An unlocked screen, a shared device, or a laptop left in the wrong place can expose the same systems your business runs on every day. Clean Desk 2.0 isn’t about aesthetics. It’s about securing the physical-to-digital bridge. If a houseguest, a delivery person, or a thief can sit down at your workstation, they don’t need to be a master hacker to cause real damage. They just need a few unattended minutes and an open session. Why an Unlocked Screen is a Data Breach Most small business owners treat multi-factor authentication (MFA) as the ultimate front-door lock. And it’s a great lock. The problem is that once you’re already inside, the “front door” isn’t the control that matters. When you sign into a web app, your browser creates a session token (often stored as a cookie) so you stay logged in without being challenged on every click. Kaspersky notes that session hijacking is “sometimes called cookie hijacking” because cookies commonly store the session identifier. Proofpoint says session tokens act like digital “keys.” If they’re stolen, attackers can impersonate legitimate users and bypass authentication measures “like MFA”. That’s why physical access changes the game. If someone can sit down at your workstation while you’re making a coffee, they don’t need to “crack” anything. They can reuse your already authenticated session and access the same cloud apps, CRM data, and financial tools you were just using, no MFA prompt required. This is exactly why Clean Desk 2.0 needs an auto-lock culture. Set short screen-lock timers. Lock manually every time you step away. Treat an unlocked session the same way you’d treat a set of master keys left in the door. Hardware "Legacy Debt" on Your Desk Most people keep old tech for the same reason: it still works. But “still works” isn’t the same as “still safe”. The same legacy debt that shows up in server rooms also shows up in home offices and often in the exact places that matter most, like routers, VPN gateways, and the “backup” laptop that hasn’t been updated in months. The core problem is end-of-support. When a device reaches end-of-support (EOS), security fixes stop arriving. The UK’s guidance on obsolete products notes, “Ideally, once out of date, technology should not be used,” and “the only fully effective way to mitigate this risk is to stop using the obsolete product.” In other words, you can’t patch your way out of something that no longer gets patches. This matters even more for edge devices. These are anything internet-facing that sits between your home network and the rest of the world. A Clean Desk 2.0 habit is to audit your home-office “edge” the same way you’d audit a server room: Identify what’s internet-facing Confirm it’s supported and patchable Retire anything that isn’t. Your Digital Employee Needs a Locked Door As AI features get embedded into everyday tools, workstations aren’t just “where you work” anymore. They’re where automated actions happen. An AI agent might update your CRM, draft client comms, schedule appointments, or move a workflow forward with minimal input once it’s been kicked off. That creates a new physical risk because unattended sessions + automation don’t mix. If an agent is running a process while you’re away from your desk, an unlocked screen turns into an open control panel. Someone doesn’t need to be technical to cause damage. They just need to click, approve, change a destination account, or interfere with an in-flight task. The fix isn’t banning automation. It’s treating AI-driven workflows like you’d treat any powerful business system: clear boundaries and clear approvals. Decide upfront: What decisions can the AI agent make without a human present? What actions require an explicit approval step? What are its spending limits and escalation rules if money is involved? Which systems and data are the agents allowed to access, and which are off-limits? Physical Efficiency and Cloud Waste A Clean Desk 2.0 mindset isn’t only about security. It’s about operational discipline: knowing what you’re using, why you’re using it, and what should be switched off when it’s not needed. Cloud waste is the digital version of leaving the lights on in an empty building. It shows up as underused servers, test environments that never power down, and storage that keeps growing because nobody owns the cleanup. None of it looks dramatic day to day. It just quietly inflates your monthly bill. The simple habit that fixes it is the same one that keeps a physical workspace under control: visibility and ownership. Assign each environment and major resource to an owner, review what’s actually being used, and schedule non-production workloads to shut down outside business hours. These “tidying” routines don’t just cut spending. They reduce clutter, limit exposure, and make your environment easier to manage when something goes wrong. Building a 2.0 Foundation Securing your home office from physical data leaks isn’t about paranoia. It’s about professionalism. In 2026, the home workspace isn’t a side setup. It’s part of your business perimeter. Clean Desk 2.0 is really a set of modern defaults, like locked screens and supported devices. When those basics are consistent, small home-office lapses stop turning into bigger business problems.  Want help turning this into a simple, enforceable baseline for your team? Contact us for a technology consultation.