A new development in the realm of cloud security threats has emerged, offering threat actors a novel way to obtain Microsoft Entra (formerly Azure Active Directory) refresh tokens from compromised endpoints, potentially bypassing even robust multi-factor authentication (MFA) mechanisms. This advanced method, leveraging the power of Cobalt Strike Beacon's extensibility and Microsoft's OAuth infrastructure quirks, poses new risks and challenges for defenders across organizations that depend on Microsoft 365, Azure, and related cloud services.
Historically, the extraction of tokens—especially Primary Refresh Tokens (PRTs)—from endpoints has been a fundamental pillar of identity persistence for post-exploitation adversaries. While PRT-harvesting techniques typically require domain-joined devices, giving defenders a clear scope for risk modeling and defense, the evolution of Bring Your Own Device (BYOD) policies and hybrid environments left tempting gaps.
The technique reported on cybersecuritynews.com and validated by multiple independent security researchers, centers on an extension to TrustedSec’s Cobalt Strike Remote Operations toolkit: a Beacon Object File (BOF) called “get_azure_token,” created by Christopher Paschen. Unlike legacy PRT extraction methods, this approach works even when endpoints are not domain-joined—circumventing a significant barrier to cloud identity exploitation.
At its core, the new approach abuses the OAuth 2.0 authorization code flow, which powers much of the modern cloud authentication fabric. By leveraging a compromised user’s existing browser authentication session, the BOF initiates an OAuth flow for a targeted Microsoft application and intercepts the authorization code. This code is then used to request both access and refresh tokens from Microsoft Entra, conferring long-term, often stealthy access to sensitive cloud APIs and resources.
However, a significant enhancement was proposed: the use of Microsoft’s “native client” redirect URI—
How the Attack Works: Expanding Beyond Traditional Token Theft
Historically, the extraction of tokens—especially Primary Refresh Tokens (PRTs)—from endpoints has been a fundamental pillar of identity persistence for post-exploitation adversaries. While PRT-harvesting techniques typically require domain-joined devices, giving defenders a clear scope for risk modeling and defense, the evolution of Bring Your Own Device (BYOD) policies and hybrid environments left tempting gaps.The technique reported on cybersecuritynews.com and validated by multiple independent security researchers, centers on an extension to TrustedSec’s Cobalt Strike Remote Operations toolkit: a Beacon Object File (BOF) called “get_azure_token,” created by Christopher Paschen. Unlike legacy PRT extraction methods, this approach works even when endpoints are not domain-joined—circumventing a significant barrier to cloud identity exploitation.
At its core, the new approach abuses the OAuth 2.0 authorization code flow, which powers much of the modern cloud authentication fabric. By leveraging a compromised user’s existing browser authentication session, the BOF initiates an OAuth flow for a targeted Microsoft application and intercepts the authorization code. This code is then used to request both access and refresh tokens from Microsoft Entra, conferring long-term, often stealthy access to sensitive cloud APIs and resources.
Key Findings and Technical Evolution
A notable limitation of the original “get_azure_token” approach was its dependence on applications whose client IDs permit the use of “http://localhost” as the OAuth redirect URI. Only a subset of Microsoft applications—including Azure CLI, Azure PowerShell, and legacy Visual Studio—support this. This constraint kept the attack’s utility relatively narrow.However, a significant enhancement was proposed: the use of Microsoft’s “native client” redirect URI—
[url="https://login.microsoftonline.com/common/oauth2/nativeclient%5B/url%5D%5B/ICODE"]https://login.microsoftonline.com/common/oauth2/nativeclient[/url][/ICODE[/url]. The innovation involves extracting the authorization code not from the redirected HTTP request but from the browser window’s title bar, leveraging the Windows API call GetWindowTextA. This critical change dramatically broadens the attack’s applicability—now any Microsoft app using the Family of Client IDs (FOCI) model, such as Teams, Edge, and Copilot, can be targeted.
This upgrade is not merely technical minutiae; it directly impacts operational security (OPSEC) and detectability. By camouflaging authentication requests within the noisy background of legitimate app traffic and originating requests from the compromised user's device IP, malicious activity becomes nearly indistinguishable from authentic user behavior.
[HEADING=1]Why Multi-Factor Authentication Isn’t Enough[/HEADING]
MFA is regularly promoted as a robust defense, and for good reason: it addresses the most common avenues for credential theft. But techniques like this exploit the trust chain established once a user authenticates. If an attacker can exfiltrate a refresh token or authorization code from a machine where a legitimate session exists—especially where browser SSO is in play—MFA is not re-invoked until a session expires or is revoked.
This reality highlights a key, often misunderstood weakness in cloud identity: while MFA blocks many direct attacks, it does not safeguard token-based persistence methods that operate post-authentication and post-compromise. Security teams may be lulled into a false sense of safety, underestimating the secondary risks from tokens held on disk or in memory.
[HEADING=1]Proof of Concept and Real-World Applicability[/HEADING]
The process outlined in infosecnoodle’s report, corroborated by TrustedSec’s own documentation, demonstrates the relatively simple proof-of-concept required:
[LIST]
[*]An attacker equipped with Cobalt Strike and the get_azure_token BOF runs a command specifying the client ID and scope—usually targeting well-permissioned applications.
[*]The BOF triggers an OAuth login through the victim’s browser session.
[*]If the attacker employs the native client redirect URI along with GetWindowTextA, code extraction succeeds even when localhost redirection isn’t permitted.
[*]The attacker submits the stolen code via OAuth token exchange, obtaining both an access token (for immediate API activity) and a refresh token (for persistence).
[/LIST]
Importantly, every one of these steps occurs from the user’s endpoint, bearing the device’s genuine IP address and often inheriting its legitimate session context. This sidesteps standard geographic and anomaly-based detection mechanisms used by Microsoft Entra and third-party SIEM tools.
While this isn’t as universal as PRT extraction (which confers identity and SSO access across a broad swath of Microsoft ecosystem services), it proves valuable in “edge” scenarios—BYOD, hybrid-joined laptops, or freshly imaged workstations yet to join a domain. In these diverse environments, the new technique becomes an invaluable weapon for persistent attackers.
[HEADING=1]Expanding the Attack Surface: Teams, Copilot, and Beyond[/HEADING]
By leveraging FOCI client IDs compatible with the native client redirect URI, the technique deploys against an expanded selection of Microsoft apps. Notably, this category includes:
[LIST]
[*]Microsoft Teams
[*]Microsoft Copilot
[*]Microsoft Edge
[*]Azure CLI and Azure PowerShell (legacy methods)
[/LIST]
The inclusion of business-critical platforms like Teams and Copilot cannot be overstated. These are applications that, owing to their ubiquity and role in productivity, are unlikely to trigger immediate suspicion if OAuth activity spikes. Attackers gain not only stealth but also the potential for long-term surveillance or data exfiltration—especially if combined with additional post-exploitation tools like GraphSpy, which automates interactions with Microsoft Graph API after access is secured.
[HEADING=1]Critical Analysis: Strengths and Risks[/HEADING]
[HEADING=1]Notable Strengths of the Technique[/HEADING]
[LIST]
[*][B]Bypasses Traditional Limitations:[/B] The leap from “localhost-only” clients to native client URI compatibility exponentially multiplies the range of exploitable applications.
[*][B]Stealth by Design:[/B] All token requests emerge from the trusted endpoint, inherit user context, and blend into normal application behavior.
[*][B]Applicable in Edge Scenarios:[/B] The method shines precisely where defenders may relax—on non-domain-joined or BYOD devices.
[*][B]Persistence:[/B] The refresh token enables ongoing access, even if the initial infection vector is cleaned.
[/LIST]
[HEADING=1]Potential Risks and Weaknesses[/HEADING]
[LIST]
[*][B]Detection Remains Difficult:[/B] Security monitoring tools dependent on source IP, device state, or unusual login patterns are easily circumvented unless token use is cross-correlated with endpoint telemetry.
[*][B]Token Revocation Gaps:[/B] Unless an organization actively monitors for and revokes stolen refresh tokens, attackers may maintain their foothold indefinitely.
[*][B]Conditional Access Policies Might Help[/B]: However, advanced conditional access policies—especially those tied to device compliance and state—could mitigate the impact, though this is not universal.
[*][B]Heavy Reliance on User Session State:[/B] The method depends on an active, authenticated session in one of the targeted applications, introducing some limitations for attackers.
[/LIST]
[HEADING=1]Defending Against Modern Token Theft[/HEADING]
Organizations should not view this vector as merely theoretical. Multiple red-team and penetration test reports from late 2024 and early 2025 have validated both the original and enhanced technique in simulated enterprise environments. Security response must adapt.
[HEADING=1]Recommended Mitigation Steps[/HEADING]
[LIST]
[*][B]Implement Endpoint Detection and Response (EDR) Monitoring[/B]: Effective EDR solutions should look beyond initial compromise, flagging suspicious browser process behavior—especially those invoking window title extraction or manipulating OAuth flows through automation.
[*][B]Token Hygiene[/B]: Regularly review and revoke active refresh tokens following incidents, and consider shortening token lifetimes via Entra policy.
[*][B]Strict OAuth Consent[/B]: Limit the consent grant for applications, particularly ensuring that only necessary apps can access sensitive scopes via OAuth.
[*][B]Conditional Access Enforcement[/B]: Leverage conditional access tied to device compliance and registration status wherever possible.
[*][B]Enhanced Audit Logging and Analytics[/B]: Enable comprehensive logging around Microsoft Graph, Entra, and high-value application authentication flows. Cross-reference unusual token uses with endpoint state.
[*][B]User Education[/B]: Train end users to recognize the symptoms of endpoint compromise and suspicious browser behavior.
[/LIST]
[HEADING=1]Broader Cloud Security Implications[/HEADING]
The continued evolution of token theft techniques—especially as network perimeter security wanes and user endpoints serve as the new battleground—underlines a central truth in modern security: identity is the attacker's primary target.
Token-based persistence methods will only become more sophisticated, taking advantage of the steady march toward device/ecosystem agnosticism embraced by modern SaaS and cloud environments. Attackers will increasingly invest in techniques that allow them to “live off the land”—using legitimate, sanctioned applications and flows to blend into benign activity.
Equally, defenders must recognize that MFA, while essential, is not a silver bullet. Without comprehensive endpoint security, active monitoring of token use, and a strategy for rapid incident response and token revocation, organizations risk leaving critical doors open.
[HEADING=1]Conclusion[/HEADING]
This new technique for harvesting Microsoft Entra refresh tokens via Cobalt Strike Beacon is a stark reminder of the ingenuity driving today’s threat actors—and of the unrelenting cat-and-mouse game between attackers and defenders in the cloud era.
For security teams, the message is clear: continuous vigilance is necessary. This means not only enforcing MFA and conditional access, but also adopting a posture of assumed breach, with mechanisms in place for rapid detection, investigation, and containment of token-based threats. The boundaries of cloud identity security are shifting, and only those who evolve their defenses accordingly will stay ahead of the curve.
As always, maintaining visibility into what tokens are active in your environment, understanding your attack surface—across all apps and endpoints—and practicing token hygiene are not optional extras, but critical pillars for safeguarding modern, cloud-driven enterprises.
[hr][/hr][B]Source:[/B] CybersecurityNews [url="https://cybersecuritynews.com/microsoft-entra-refresh-tokens-via-beacon/"]New Technique that Let Attackers Obtain Microsoft Entra Refresh Tokens via Beacon[/url]