A recently disclosed method allows attackers to extract Microsoft Entra refresh tokens from compromised endpoints using Cobalt Strike Beacon. This technique poses a significant threat by potentially bypassing multi-factor authentication (MFA) and enabling persistent access to cloud resources.
Understanding the Threat
Traditionally, attackers have targeted Primary Refresh Tokens (PRTs) to maintain access to compromised accounts. PRTs are long-lived tokens that facilitate single sign-on (SSO) across various applications. However, extracting PRTs is often challenging, especially on non-domain-joined or bring-your-own-device (BYOD) systems. The newly identified method circumvents these challenges by leveraging the Cobalt Strike Beacon to obtain refresh tokens directly.
Mechanism of the Attack
The attack utilizes a Beacon Object File (BOF) named get_azure_token, developed by Christopher Paschen and available in TrustedSec’s Remote Operations repository. This BOF initiates an authorization code flow for a specified client ID and scope, capturing the authorization code to request access and refresh tokens.
Initially, this approach was limited to Microsoft applications that support http://localhost as the redirect URI, such as Microsoft Azure CLI, Azure PowerShell, and Visual Studio – Legacy. To overcome this limitation, researchers devised an improved technique using Microsoft’s native client redirect URI (https://login.microsoftonline.com/common/oauth2/nativeclient). By extracting the authorization code from the browser window title using the GetWindowTextA API, attackers can now target a broader range of applications, including Microsoft Teams, Copilot, and Edge.
Implications for Security
This advancement significantly expands the attack surface, as these commonly used applications are less likely to trigger security alerts. Moreover, since all authentication and token requests originate from the compromised endpoint’s IP address, detecting such malicious activities becomes more challenging. When combined with post-exploitation tools like GraphSpy, attackers can maintain persistent access to cloud resources even after initial access is lost.
Mitigation Strategies
Organizations are advised to implement comprehensive monitoring for suspicious authentication activities, particularly those involving sensitive Microsoft applications and Graph API access. Enhancing endpoint detection and response (EDR) capabilities, enforcing strict Conditional Access policies, and educating users about phishing tactics are crucial steps in mitigating the risks associated with this technique.
