CyberSecurityBoard
Sponsor Register Login

New Technique that Let Attackers Obtain Microsoft Entra Refresh Tokens via Beacon

A new technique that enables attackers to obtain Microsoft Entra refresh tokens from compromised endpoints using Cobalt Strike Beacon, potentially bypassing multi-factor authentication (MFA) protections and maintaining persistent access to cloud resources. A significant limitation of the original approach is that it requires the specified client ID to allow “ ; as the redirect_uri parameter, which restricts attackers to using only a handful of Microsoft applications that support this configuration. Infosecnoodle reports that this BOF leverages the user’s existing browser authentication to Entra by initiating an authorization code flow for a specified client ID and scope, then capturing the authorization code to request access and refresh tokens. To overcome this limitation, the researcher devised an improved technique utilizing Microsoft’s native client redirect URI ( ) and extracting the authorization code from the browser window title using the GetWindowTextA API. This enhancement significantly expands the attack surface by enabling the technique to work with popular Microsoft applications including Teams, Copilot, and Edge, which can make a massive difference in terms of OPSEC as these applications are less likely to trigger security alerts. “If we extracted it from there, it could allow us to use the native client redirect URI instead, giving us access to a much larger range of FOCIs and removing the restriction of only being able to use FOCIs that allow ‘ ; as the redirect URI,” the researcher wrote. The researcher identified only three Microsoft applications with the necessary Family of Client IDs (FOCI) capabilities that also support the localhost redirect: Microsoft Azure CLI, Microsoft Azure PowerShell, and Visual Studio – Legacy. While the researcher acknowledges this is primarily for “edge-case scenarios” and that PRT extraction remains a more reliable method for identity persistence when possible, the technique provides attackers with an additional option when traditional methods fail. Organizations are advised to implement comprehensive monitoring for suspicious authentication activities, particularly those involving sensitive Microsoft applications and Graph API access.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 12 May 2025 09:10:21 +0000


Cyber News related to New Technique that Let Attackers Obtain Microsoft Entra Refresh Tokens via Beacon

Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
1 year ago Techtarget.com
How to secure on-prem apps with Entra Application Proxy - If your internal web applications are still internet-facing, then it's time to move away from turning your firewall into Swiss cheese just to externalize apps for your users. To reduce the attack surface, a traditional method, such as a VPN, has its ...
1 year ago Techtarget.com
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com
New Technique that Let Attackers Obtain Microsoft Entra Refresh Tokens via Beacon - A new technique that enables attackers to obtain Microsoft Entra refresh tokens from compromised endpoints using Cobalt Strike Beacon, potentially bypassing multi-factor authentication (MFA) protections and maintaining persistent access to cloud ...
2 months ago Cybersecuritynews.com
Microsoft Addresses Entra ID Token Logging Issue, Alerts to Protect Users - Microsoft has acknowledged a recent issue that triggered widespread alerts in its Entra ID Protection system, flagging user accounts as high risk due to supposed credential leaks on the dark web. The alerts have been attributed to a combination of an ...
2 months ago Cybersecuritynews.com
Microsoft Breach - How Can I See This In BloodHound? - On January 25, 2024, Microsoft announced Russia's foreign intelligence service breached their corporate EntraID environment. We reviewed the information Microsoft's team provided in their post which contained details significant enough to explain ...
1 year ago Securityboulevard.com
Microsoft Entra account lockouts caused by user token logging mishap - However, an admin for one of the impacted organizations shared an advisory sent by Microsoft stating that the issue was caused by the company mistakenly logging the impacted account's user refresh tokens rather than just their metadata. "On Friday ...
2 months ago Bleepingcomputer.com
Iranian Hackers Developed a New Backdoor to Hack Windows - Peach Sandstorm, an Iranian Hackers group, targets diverse sectors globally, and this group is linked to:-. Using password spray campaigns, Peach Sandstorm exhibits opportunistic behavior, with a history of relying on this tactic. This custom ...
1 year ago Cybersecuritynews.com
Researchers Find Way to Bypass Phishing-Resistant MFA in Microsoft Entra ID - Cyber Security News - Cybersecurity researchers have uncovered a sophisticated technique to bypass Microsoft’s phishing-resistant multi-factor authentication (MFA) by exploiting the device code authentication flow and Primary Refresh Tokens (PRTs). The current ...
2 months ago Cybersecuritynews.com
What Is OAuth 2.0? - Scope of Access: Before OAuth, the meal planning app might have access to data that the user did not actually wish to share. No Way to Revoke Access: Before OAuth, the user could not easily restrict or revoke the meal planning app's access to their ...
1 year ago Feeds.dzone.com
From Implicit to Authorization Code With PKCE, BFF - Lack of Refresh Token Support occurs when there are no refresh tokens, and frequent requests for new tokens are necessary, increasing the chances of token leakage and misuse. The Implicit Flow had several security vulnerabilities, such as token ...
1 year ago Feeds.dzone.com
Why Tokens Are Like Gold for Opportunistic Threat Actors - COMMENTARY. Authentication tokens aren't actual physical tokens, of course. Authentication tokens are an important part of cybersecurity. Which means that anyone with a token has a gold key to corporate systems - without requiring a multifactor ...
1 year ago Darkreading.com
5 ways to secure identity and access for 2024 - 1 This increase is due in part to the rise of generative AI and large language models, which bring new opportunities and challenges for security professionals while affecting what we must do to secure access effectively. Learn how unified multicloud ...
1 year ago Microsoft.com
Microsoft fixes Entra ID authentication issue caused by DNS change - "Between 17:18 UTC and 18:35 UTC on 25 February 2025, customers attempting to authenticate with Microsoft Entra ID using the Seamless SSO and Microsoft Entra Connect Sync features may have experienced DNS resolution failures when trying to access ...
4 months ago Bleepingcomputer.com
CVE-2023-20903 - This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity ...
2 years ago
Red Team Tool Cobalt Strike 4.11 Released With out-of-the-box Evasion Options - The update introduces a novel Sleepmask, new process injection techniques, enhanced obfuscation options, and stealthier communication methods – all designed to operate effectively without requiring extensive customization. The release also ...
3 months ago Cybersecuritynews.com
Microsoft: Hackers steal emails in device code phishing attacks - "The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such ...
5 months ago Bleepingcomputer.com
Meta AI Models Cracked Open With Exposed API Tokens - Researchers recently were able to get full read and write access to Meta's Bloom, Meta-Llama, and Pythia large language model repositories in a troubling demonstration of the supply chain risks to organizations using these repositories to integrate ...
1 year ago Darkreading.com
Exposed Hugging Face API tokens jeopardized GenAI models - Lasso Security researchers discovered 1,681 Hugging Face API tokens exposed in code repositories, which left vendors such as Google, Meta, Microsoft and VMware open to potential supply chain attacks. In a blog post published Monday, Lasso Security ...
1 year ago Techtarget.com
How Strata Identity and Microsoft Entra ID solve identity challenges in mergers and acquisitions - In particular, there is an immediate and profound impact on the identity and access management postures of both companies. While most combined organizations aspire to eventually consolidate their identity systems, this is a challenging and ...
1 year ago Microsoft.com
Widespread Microsoft Entra lockouts tied to new security feature rollout - In a Reddit thread posted early this morning, Windows admins reported receiving multiple alerts from Entra indicating that some of their user accounts had been found with credentials leaked on the dark web or other locations. Windows administrators ...
2 months ago Bleepingcomputer.com
Microsoft Boosts MSA Signing Service Security on Azure Following Storm-0558 Breach - “We have applied new defense-in-depth protections, migrated the Microsoft Account (MSA) signing service to run on Azure confidential VMs, and we are migrating the Entra ID signing service to Azure confidential VMs,” states the report, ...
2 months ago Cybersecuritynews.com
Microsoft will roll out MFA-enforcing policies for admin portal access - Microsoft will soon start rolling out Conditional Access policies requiring multifactor authentication from administrators when signing into Microsoft admin portals such as Microsoft Entra, Microsoft 365, Exchange, and Azure. The company will also ...
1 year ago Bleepingcomputer.com
New Device Code Phishing Attack Exploit Device Code Authentication To Capture Authentication Tokens - Cyber Security News - A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known as “device code phishing” to capture authentication tokens. The campaign uses a phishing technique that tricks users ...
5 months ago Cybersecuritynews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)