New Cloud Attack Technique Bypasses MFA by Stealing Microsoft Entra Refresh Tokens

A sophisticated new cloud attack technique has emerged, leveraging a manipulation of Microsoft Entra (formerly Azure Active Directory)’s device code authentication flow to steal refresh tokens and bypass multi-factor authentication (MFA). This novel threat vector demonstrates how attackers are adapting to circumvent some of the most critical layers of modern cloud security, raising alarms for organizations relying heavily on Microsoft’s cloud identity platform.

Background: What is Microsoft Entra and Device Code Authentication?

Microsoft Entra is Microsoft’s identity and access management platform that encompasses Azure Active Directory (Azure AD). It provides authentication and authorization services for Microsoft 365, Azure, and other cloud resources, enforcing security policies such as MFA and conditional access.

Device code authentication is an OAuth 2.0 flow designed for devices with limited input capabilities (like smart TVs, IoT devices, or printers) that cannot easily display complex login forms. Instead of typing a username and password directly on the device, the user is prompted to visit a separate trusted browser on another device and enter a unique device code, linking and authorizing the device.

How the New Attack Works: Exploiting Device Code Authentication to Steal Refresh Tokens

A Russian state-sponsored advanced persistent threat (APT) group, named Storm-2372, has been actively exploiting this OAuth device code authentication flow since at least August 2024.

The attack unfolds through a carefully engineered phishing and social engineering campaign that impersonates trusted individuals and organizations:

  1. Phishing through Trusted Channels: Attackers send convincing invitations (e.g., Microsoft Teams meeting invites) via email or messaging apps like WhatsApp, Signal, or Microsoft Teams, embedding malicious device codes. These codes are presented as legitimate meeting or device authentication IDs.
  2. Victim Interaction: The target is prompted to enter the provided device code at Microsoft’s legitimate login portal — a seemingly normal action.
  3. Token Harvesting: Once entered, attackers capture the resulting access and refresh tokens tied to the victim’s session. These tokens enable the attacker to authenticate directly with Microsoft Entra without requiring the victim’s password or triggering MFA prompts again.
  4. Bypassing MFA: Because the tokens are linked to valid authentication sessions, MFA is effectively circumvented, giving attackers persistent and stealthy access.
  5. Lateral Movement and Data Exfiltration: Using these tokens and Microsoft Graph APIs, attackers move laterally within networks to access emails, documents, and sensitive corporate data, performing targeted keyword searches (e.g., “admin,” “password,” “secret”) to locate valuable information.
  6. Persistence via Device Registration: Recent developments show attackers abusing the Microsoft Authentication Broker client ID to register rogue devices to the victim’s environment, securing Primary Refresh Tokens (PRTs) that facilitate long-term undetected access.

Technical Insights: Why is This Attack So Effective?

  • Legitimate Authentication Flow Abuse: The device code authentication flow is a trusted OAuth protocol intended to balance usability and security. By exploiting it, attackers avoid traditional red flags like entering credentials on fake websites.
  • Token Persistence: Refresh tokens provide persistent access and are harder to revoke or detect compared to passwords. Until the tokens expire or are revoked, attackers can seamlessly impersonate users.
  • Use of Trusted APIs: The use of Microsoft Graph API to search and exfiltrate data makes the malicious activity blend with normal operations, evading many security alerts.
  • Geographic Proxying: Attackers use proxies that mimic the victim’s normal geographic login locations to avoid triggering anomaly detection.
  • Social Engineering Sophistication: The phishing lures mimic corporate communications closely, increasing the likelihood of user trust and interaction.

Global Impact: Who is at Risk?

Storm-2372’s campaign has been observed targeting organizations across various sectors worldwide, including:

  • Governments and defense contractors
  • NGOs
  • Telecommunications firms
  • Higher education institutions
  • IT service providers
  • Critical infrastructure entities

The broad and strategic targeting underlines the severity of this threat, potentially enabling espionage, intellectual property theft, and disruption of critical services globally.

Defense Strategies: Mitigating the Risk of Device Code Phishing Attacks

Mitigating this evolving threat demands a multi-layered approach encompassing technology, policy, and user awareness:

1. Restrict or Disable Device Code Authentication

Where possible, disable device code authentication flows in Microsoft Entra ID to remove this attack vector entirely. If the feature is necessary, limit its use via conditional access policies.

2. Implement Adaptive Conditional Access

  • Enforce policies that evaluate risk signals such as device compliance, user location, and behavior.
  • Block or challenge suspicious device code authentication attempts.
  • Regularly audit and restrict OAuth app permissions.

3. Upgrade MFA to Phishing-Resistant Methods

  • Move from SMS or app-based OTP methods to hardware security keys supporting FIDO2 standard.
  • Use biometric and behavioral authentication factors for added security.

4. Monitor Sign-In and Token Usage Logs

  • Continuously analyze Microsoft Entra ID sign-in logs for anomalies indicating device code flow use or suspicious IP addresses.
  • Set up alerts for unusual access token or refresh token usage patterns.

5. Swift Incident Response

  • Revoke all active sessions and refresh tokens promptly upon detection of compromise.
  • Require re-authentication to invalidate stolen tokens and enforce MFA challenges.

6. Enhance User Training and Awareness

  • Educate users about the risks of device code phishing and social engineering.
  • Simulate phishing campaigns internally to improve detection skills.
  • Train users to verify communications, especially unexpected meeting invites or code requests.

Conclusion: Vigilance is Key in the Evolving Cloud Security Landscape

This emerging attack technique exploiting Microsoft Entra refresh tokens via device code phishing represents a fundamental challenge to traditional cloud security models predicated on MFA and trusted authentication protocols.

Organizations must stay informed about such threats and adopt holistic security strategies that integrate technical controls, continuous monitoring, and proactive user education. As cloud adoption grows and hybrid work environments become the norm, identity remains the new perimeter—and protecting it requires both innovative defenses and skilled vigilance.

Reference Links

Below are verified references providing more in-depth details and official security advisories related to this topic:

  • Microsoft Security Blog on Device Code Phishing Threats:

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tactics-for-device-code-phishing/ba-p/4391234

(Note: Content was validated as accessible and relevant)

  • Analysis of Storm-2372 Device Code Phishing Campaign:

https://www.crowdstrike.com/blog/storm-2372-apts-innovative-use-of-device-code-phishing/

Validated for accessibility and details on the threat group’s tactics

  • Microsoft Entra Conditional Access best practices:

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview

  • Microsoft Guidance on OAuth and Refresh Token Security:

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#refresh-tokens

  • FBI Advisory on Cloud-Based Token Theft and Session Hijacking:

https://www.ic3.gov/Media/Y2024/PSA240309

This article serves as a comprehensive snapshot of the current cloud security threat landscape related to Microsoft Entra token theft and offers actionable insights to mitigate the growing risk. Organizations and individual users alike should act promptly to secure their digital identities against these advanced persistent threats.