![[The AI Show Episode 145]: OpenAI Releases o3 and o4-mini, AI Is Causing “Quiet Layoffs,” Executive Order on Youth AI Education & GPT-4o’s Controversial Update](https://www.marketingaiinstitute.com/hubfs/ep%20145%20cover.png)
![[DEALS] Internxt Cloud Storage Lifetime Subscription: 10TB Plan (88% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Ditching a Microsoft Job to Enter Startup Purgatory with Lonewolf Engineer Sam Crombie [Podcast #171]](https://cdn.hashnode.com/res/hashnode/image/upload/v1746753508177/0cd57f66-fdb0-4972-b285-1443a7db39fc.png?#)
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![Gurman: First Foldable iPhone 'Should Be on the Market by 2027' [Updated]](https://images.macrumors.com/t/7O_4ilWjMpNSXf1pIBM37P_dKgU=/2500x/article-new/2025/03/Foldable-iPhone-2023-Feature-Homescreen.jpg)
![Federal ‘click to cancel subscriptions’ rule delayed, may be weakened [U]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2024/10/Federal-click-to-cancel-subscriptions-rule-is-ratified.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![What Google Messages features are rolling out [May 2025]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2023/12/google-messages-name-cover.png?resize=1200%2C628&quality=82&strip=all&ssl=1)
![[Fixed] Gemini 2.5 Flash missing file upload for free app users](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/03/google-gemini-workspace-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![So your [expletive] test failed. So [obscene participle] what?](https://regmedia.co.uk/2016/08/18/shutterstock_mobile_surprise.jpg)
![Apple Shares 'Last Scene' Short Film Shot on iPhone 16 Pro [Video]](https://www.iclarified.com/images/news/97289/97289/97289-640.jpg)
![Apple M4 MacBook Air Hits New All-Time Low of $824 [Deal]](https://www.iclarified.com/images/news/97288/97288/97288-640.jpg)
![An Apple Product Renaissance Is on the Way [Gurman]](https://www.iclarified.com/images/news/97286/97286/97286-640.jpg)
![Apple to Sync Captive Wi-Fi Logins Across iPhone, iPad, and Mac [Report]](https://www.iclarified.com/images/news/97284/97284/97284-640.jpg)
New Technique that Let Attackers Obtain Microsoft Entra Refresh Tokens via Beacon
A new technique that enables attackers to obtain Microsoft Entra refresh tokens from compromised endpoints using Cobalt Strike Beacon, potentially bypassing multi-factor authentication (MFA) protections and maintaining persistent access to cloud resources. The technique, published on May 9, addresses scenarios where traditional Primary Refresh Token (PRT) extraction isn’t possible, particularly on non-domain-joined or BYOD devices. […] The post New Technique that Let Attackers Obtain Microsoft Entra Refresh Tokens via Beacon appeared first on Cyber Security News.
A new technique that enables attackers to obtain Microsoft Entra refresh tokens from compromised endpoints using Cobalt Strike Beacon, potentially bypassing multi-factor authentication (MFA) protections and maintaining persistent access to cloud resources.
The technique, published on May 9, addresses scenarios where traditional Primary Refresh Token (PRT) extraction isn’t possible, particularly on non-domain-joined or BYOD devices.
Novel Technique Expands Attack Surface for Azure Token Theft
The technique utilizes a recently added Beacon Object File (BOF) to TrustedSec’s Remote Operations repository called “get_azure_token,” developed by Christopher Paschen.
Infosecnoodle reports that this BOF leverages the user’s existing browser authentication to Entra by initiating an authorization code flow for a specified client ID and scope, then capturing the authorization code to request access and refresh tokens.
A significant limitation of the original approach is that it requires the specified client ID to allow “http://localhost” as the redirect_uri parameter, which restricts attackers to using only a handful of Microsoft applications that support this configuration.
The researcher identified only three Microsoft applications with the necessary Family of Client IDs (FOCI) capabilities that also support the localhost redirect: Microsoft Azure CLI, Microsoft Azure PowerShell, and Visual Studio – Legacy.
To overcome this limitation, the researcher devised an improved technique utilizing Microsoft’s native client redirect URI (https://login.microsoftonline.com/common/oauth2/nativeclient) and extracting the authorization code from the browser window title using the GetWindowTextA API.
“If we extracted it from there, it could allow us to use the native client redirect URI instead, giving us access to a much larger range of FOCIs and removing the restriction of only being able to use FOCIs that allow ‘http://localhost’ as the redirect URI,” the researcher wrote.
This enhancement significantly expands the attack surface by enabling the technique to work with popular Microsoft applications including Teams, Copilot, and Edge, which can make a massive difference in terms of OPSEC as these applications are less likely to trigger security alerts.
Proof of Concept: The BOF in Action
The technique can be implemented using a simple command:
This technique is particularly concerning because all authentication requests and token requests originate from the compromised endpoint’s IP address, making them difficult to detect as malicious.
When combined with post-exploitation tools like GraphSpy, attackers can maintain persistent access to cloud resources even after initial access is lost.
While the researcher acknowledges this is primarily for “edge-case scenarios” and that PRT extraction remains a more reliable method for identity persistence when possible, the technique provides attackers with an additional option when traditional methods fail.
Organizations are advised to implement comprehensive monitoring for suspicious authentication activities, particularly those involving sensitive Microsoft applications and Graph API access.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
The post New Technique that Let Attackers Obtain Microsoft Entra Refresh Tokens via Beacon appeared first on Cyber Security News.
 Evolved as a Predominant Framework for Ransomware Attacks.webp?#)
