A newly discovered method enables attackers to obtain Microsoft Entra refresh tokens from compromised endpoints using Cobalt Strike Beacon, potentially bypassing multi-factor authentication (MFA) and maintaining persistent access to cloud resources.
The technique, revealed on May 9, 2025, targets scenarios where traditional Primary Refresh Token (PRT) extraction isn’t feasible, especially on non-domain-joined or Bring Your Own Device (BYOD) setups.
Expanding the Attack Surface for Azure Token Theft
The attack leverages a new Beacon Object File (BOF) added to TrustedSec’s Remote Operations repository, named “get_azure_token.” Developed by Christopher Paschen, this tool exploits existing browser authentication to Entra by initiating an authorization code flow. It captures the authorization code to request access and refresh tokens.
However, the original approach had limitations. It required the specified client ID to permit “http://localhost” as the redirect URI, restricting attackers to using only a few Microsoft applications that support this configuration.
Paschen identified three Microsoft applications with the necessary Family of Client IDs (FOCI) capabilities that allow this: Microsoft Azure CLI, Microsoft Azure PowerShell, and Visual Studio – Legacy.
Overcoming the Limitation
To bypass this restriction, Paschen created an improved technique using Microsoft’s native client redirect URI . This method allows the attacker to extract the authorization code from the browser window title using the GetWindowTextA API.
This enhancement significantly broadens the attack’s reach, making it possible to target popular Microsoft applications like Teams, Copilot, and Edge. These applications are less likely to trigger security alerts, improving operational security for attackers.
Proof of Concept: The BOF in Action
The technique is straightforward to execute with a simple command. It is particularly concerning because all authentication and token requests appear to originate from the compromised endpoint’s IP address, making detection difficult.
When combined with post-exploitation tools like GraphSpy, attackers can maintain access to cloud resources, even if initial access is lost.
Potential Impact and Security Recommendations
While Paschen notes that PRT extraction remains a more reliable method for persistent identity access when feasible, this new technique provides attackers with an alternative when traditional methods fail.
Organizations are urged to implement thorough monitoring for suspicious authentication activities, particularly those involving sensitive Microsoft applications and Graph API access. This approach will help identify potential threats and mitigate the risk of unauthorized access to cloud resources.
