Tech »  Topic »  New Exploit Method Extracts Microsoft Entra Tokens Through Beacon

New Exploit Method Extracts Microsoft Entra Tokens Through Beacon

4 hours ago   gbhackers

A novel exploit method leveraging Beacon Object Files (BOFs) has emerged, enabling attackers to extract Microsoft Entra (formerly Azure AD) tokens from compromised endpoints, even on non-domain-joined or BYOD devices.

This technique sidesteps traditional detection mechanisms and expands access to high-value targets, posing significant risks to enterprise cloud environments.

PRT Extraction Limits on BYOD Devices

Attackers often rely on extracting Primary Refresh Tokens (PRTs) from domain-joined devices to maintain access to Entra tenants.

However, as detailed in Matthew Creel’s “Operator’s Guide to Device-Joined Hosts and the PRT Cookie,” PRT-based methods fail on non-domain-joined hosts.

In such cases, attackers faced a roadblock: how to obtain refresh tokens without triggering alerts or requiring privileged access.

TrustedSec’s recently released get_azure_token BOF (by Christopher Paschen) inspired a breakthrough.

JUMPSEC’s TokenSmith tool being used with the “authcode” functionality, generating an authorization code flow URL (Microsoft Teams client ID).

The tool initiates ...


Copyright of this story solely belongs to gbhackers . To see the full text click HERE