Microsoft Entra ID Token Replay Attack Campaign Exploits OAuth 2.0 Refresh Token Weaknesses

Token-based authentication is the foundation of modern cloud identity, and its weaknesses are being exploited at scale. This campaign demonstrates that multi-factor authentication, while essential, does not provide complete protection against credential theft when attackers operate at the token layer rather than the password layer. An adversary who captures a valid refresh token can access cloud resources as the compromised user — from any device, any location, without repeating the MFA challenge — until the token is revoked. The attack is particularly dangerous because it produces minimal forensic artifacts: token replay sessions appear as legitimate authenticated access from the user's perspective, making detection dependent on behavioral analytics rather than traditional authentication monitoring.

Attack methodology and token harvesting

The attack chain begins with adversary-in-the-middle (AiTM) phishing. The threat group operates phishing infrastructure built on the EvilGinx framework, which proxies the legitimate Microsoft login page to the victim while intercepting the authentication exchange in real time. When the victim enters their credentials and completes the MFA challenge, the phishing proxy captures the resulting session tokens — including the OAuth 2.0 refresh token — before forwarding the authenticated session to the victim. The victim experiences a normal login; the attacker receives a copy of the tokens.

The captured refresh tokens are then replayed from attacker-controlled infrastructure to request new access tokens from Microsoft Entra ID. Because refresh tokens are bearer tokens — their possession alone is sufficient for authentication — no additional MFA challenge is required. The attacker can generate fresh access tokens repeatedly until the refresh token expires or is revoked, maintaining persistent access for days, weeks, or potentially months depending on the organization's token-lifetime configuration.

The phishing campaigns use highly convincing lures targeting users of Microsoft 365, Teams, and SharePoint. Messages impersonate IT departments, HR, and executive leadership, directing recipients to credential-harvesting pages that are visually indistinguishable from legitimate Microsoft login screens. The phishing pages use valid TLS certificates and domain names that closely resemble the target organization's single-sign-on URLs, defeating visual inspection by even cautious users.

Post-token-capture activities proceed rapidly. Within minutes of obtaining a refresh token, the attackers access the victim's mailbox to identify high-value contacts and active business processes. They then use the compromised account to send internal phishing messages to additional targets within the organization, using the trust associated with the legitimate sender identity. This internal phishing chain dramatically accelerates lateral movement within the target organization.

Scope of compromise and business impact

The campaign has compromised organizations across financial services, technology, healthcare, and professional services, with confirmed incidents reported in at least twelve countries. The threat group's objectives are primarily financial: business email compromise targeting wire transfers, invoice redirection, and procurement fraud. Secondary objectives include access to sensitive documents, intellectual property, and business communications that can be monetized through extortion or sold to interested buyers.

Business email compromise losses attributable to the campaign are estimated in the tens of millions of dollars globally. In several documented cases, the attackers established inbox rules that forwarded copies of specific messages to external addresses, monitored financial communications for days to understand payment processes and vendor relationships, and then impersonated the compromised user to request fraudulent wire transfers timed to coincide with legitimate payment cycles.

The compromised refresh tokens also provide access to Azure resources if the affected user has Azure role assignments. In multiple incidents, the attackers used cloud-resource access to provision cryptocurrency-mining infrastructure using the victim organization's Azure subscription, generating significant unexpected cloud costs before detection. The combination of direct financial fraud and cloud-resource abuse amplifies the financial impact of each successful compromise.

Data-exfiltration activities focus on email archives, SharePoint document libraries, and OneDrive file stores accessible through the compromised identity. The attackers use Microsoft Graph API calls to enumerate and download files matching keywords associated with financial data, contractual agreements, and personally identifiable information. The use of legitimate API endpoints for data access makes exfiltration difficult to distinguish from normal user activity without behavioral analytics.

Detection strategies and forensic indicators

Detecting token-replay attacks requires monitoring for behavioral anomalies that distinguish legitimate token usage from attacker-operated sessions. The primary detection signals involve geolocation inconsistencies — token usage from IP addresses and regions inconsistent with the user's normal access patterns — and device fingerprint mismatches, where a token issued to one device type and operating system is used from a different device configuration.

Microsoft's Entra ID sign-in logs provide several signals useful for detection. The "Token Issuer Type" field distinguishes between tokens issued through interactive authentication and those obtained through refresh-token redemption. Unusual patterns of refresh-token redemption — particularly from new IP addresses or device identifiers — warrant investigation. The "Risk Level" field in Entra ID Identity Protection may flag token-replay sessions as risky based on Microsoft's own anomaly-detection models, but this detection is not guaranteed and should be supplemented with organizational monitoring.

Mail-flow anomalies provide secondary detection signals. The creation of new inbox rules, particularly rules that forward messages to external addresses or move messages to less-visible folders, is a strong indicator of account compromise. Monitoring for inbox-rule changes through the Microsoft 365 audit log should be a standard detection control for all organizations.

Microsoft Graph API activity monitoring detects data-exfiltration patterns. Unusual volumes of file downloads, enumeration of SharePoint sites not previously accessed by the user, or OneDrive download patterns inconsistent with the user's normal activity profile indicate potential compromise. Organizations should baseline normal Graph API usage patterns for each user and alert on significant deviations.

Token lifecycle management and remediation

Effective defense against token-replay attacks requires active management of token lifetimes and revocation capabilities. Microsoft's Continuous Access Evaluation (CAE) feature enables near-real-time token revocation when security events are detected, reducing the window of vulnerability from the default refresh-token lifetime to minutes. Organizations should ensure CAE is enabled for all Entra ID applications that support it.

Token-lifetime policies should balance security with usability. Shorter refresh-token lifetimes reduce the duration of potential compromise but increase the frequency of re-authentication prompts that disrupt user workflows. Microsoft's recommended approach uses conditional-access policies to enforce shorter token lifetimes for sessions exhibiting risk signals — such as access from new locations or unmanaged devices — while allowing longer lifetimes for sessions that meet compliance conditions.

Remediation of confirmed compromises requires immediate token revocation for all affected accounts, followed by a forced re-authentication that invalidates all existing sessions. The Revoke-AzureADUserAllRefreshToken PowerShell command (or its Microsoft Graph equivalent) invalidates all refresh tokens for a specified user, forcing re-authentication across all devices and applications. This action should be complemented by a password reset and MFA re-registration to ensure the attacker cannot re-establish access through previously harvested credentials.

Post-compromise investigation should examine the full scope of the attacker's access: mailbox rules, file-access patterns, Azure role assignments, and delegated application permissions. Attackers commonly establish persistence through consent-grant attacks that assign application permissions to attacker-controlled applications, providing API-level access that survives user-credential remediation. Application consent logs should be reviewed and any unauthorized application grants revoked immediately.

Phishing-resistant authentication as structural mitigation

The fundamental structural mitigation for AiTM phishing is phishing-resistant authentication that prevents token harvesting at the authentication layer. FIDO2 security keys and Windows Hello for Business bind the authentication credential to the legitimate authentication endpoint through cryptographic channel binding. Because the credential is cryptographically linked to the real Microsoft login server, it cannot be replayed through a phishing proxy — the proxy receives a cryptographic response that is invalid for any endpoint other than the one the user intended to authenticate to.

Device-bound token protection extends phishing resistance to the token layer. When configured, Entra ID binds tokens to the device on which they were issued, preventing their use from any other device. An attacker who captures a refresh token through a phishing proxy cannot replay it from their own infrastructure because the token is cryptographically bound to the victim's device. Device-bound tokens require managed devices enrolled in Intune or compliant with device-compliance policies.

Conditional-access policies that require compliant devices, managed applications, and phishing-resistant authentication methods provide defense-in-depth against the entire attack chain. Organizations should implement conditional-access policies that enforce these requirements for access to sensitive resources — email, financial systems, administrative portals — even if universal enforcement across all applications is not immediately feasible.

Recommended immediate actions

Enable Continuous Access Evaluation for all supported applications in Entra ID. Verify that conditional-access policies are configured to enforce device compliance and risk-based session controls for access to sensitive resources.

Deploy phishing-resistant authentication — FIDO2 security keys or Windows Hello for Business — for high-value accounts including executives, finance personnel, IT administrators, and any user with privileged Azure role assignments. Transition remaining users to phishing-resistant methods as rapidly as organizational logistics allow.

Implement detection monitoring for token-replay indicators: geolocation anomalies in sign-in logs, device-fingerprint mismatches, unusual inbox-rule creation, and anomalous Graph API activity patterns. Integrate these detections into the SOC workflow with defined response procedures.

Conduct a review of application consent grants across the Entra ID tenant. Identify and revoke any application permissions that cannot be attributed to legitimate business use. Implement consent-governance policies that require administrator approval for new application consent grants.

Assessment and outlook

The Entra ID token-replay campaign illustrates a structural challenge in token-based authentication: tokens are bearer credentials whose possession alone confers access, and the protections designed to limit their misuse — short lifetimes, device binding, continuous evaluation — are not universally deployed. The campaign will accelerate enterprise adoption of phishing-resistant authentication and device-bound tokens, but the transition will take years, leaving a window of vulnerability that financially motivated attackers will continue to exploit.

For security leaders, the strategic lesson is that MFA is necessary but not sufficient. The authentication-security conversation must expand from "do we have MFA?" to "is our MFA phishing-resistant, are our tokens device-bound, and do we have the behavioral analytics to detect token misuse?" Organizations that ask and answer these questions will be materially better protected against the credential-theft campaigns that are now the dominant initial-access vector for both financially motivated and state-sponsored threat actors.

Related articles

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 94/100 · March 18, 2025

Cybersecurity Intelligence — FBI IC3

The FBI's IC3 annual report and Europol's IOCTA both dropped in early 2025, and the trends are consistent: business email compromise is still the most costly attack vector, ransomware continues to evolve, and…

Cybersecurity · Credibility 95/100 · February 16, 2026

Critical Fortinet FortiOS Authentication Bypass Enables Mass Exploitation of Enterprise Firewalls

A critical authentication bypass vulnerability in Fortinet FortiOS — tracked as CVE-2025-24472 — is being actively exploited at scale by multiple threat groups to compromise enterprise firewall appliances and establish…

Cybersecurity · Credibility 94/100 · January 31, 2026

Ransomware Groups Adopt AI-Generated Phishing and Living-off-the-Land Evasion at Scale

Multiple ransomware-as-a-service operations have integrated large language models into their attack chains, producing highly convincing phishing campaigns tailored to individual targets and automating post-exploitation…

Cybersecurity · Credibility 95/100 · January 23, 2026

Ivanti Connect Secure Zero-Day Exploitation Campaign Triggers Emergency Directives

Multiple zero-day vulnerabilities in Ivanti Connect Secure VPN appliances are under active exploitation by a state-sponsored threat group, prompting CISA Emergency Directive 26-02 and coordinated advisories from Five…

Cybersecurity · Credibility 95/100 · February 26, 2026

Fortinet FortiOS SSL-VPN Zero-Day CVE-2026-0847 Under Active Exploitation — CISA Orders Federal Agencies to Patch Within 72 Hours

A critical authentication-bypass vulnerability in Fortinet FortiOS SSL-VPN (CVE-2026-0847, CVSS 9.8) is under active exploitation by multiple threat actors targeting government networks, critical infrastructure, and…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

February 8, 2026

Coverage pillar

Cybersecurity

Source credibility

94/100 — high confidence

Topics

Entra ID Security · OAuth Token Replay · Phishing Attacks · Cloud Identity · MFA Bypass · Business Email Compromise

Sources cited

3 sources (learn.microsoft.com, cisa.gov, microsoft.com)

Reading time

8 min

References

1. Microsoft Security: Token Theft Attack Techniques and Mitigations — learn.microsoft.com
2. CISA Joint Advisory: Cloud Identity Compromise Through Token Theft — cisa.gov
3. Adversary-in-the-Middle Phishing: EvilGinx and AiTM Attack Frameworks — microsoft.com