Azure Entra ID Attack Techniques 2025: Device Code Phishing, Token Theft and PRT Abuse

Cloud Security

Azure Entra ID (formerly Azure AD) is the identity backbone of most Microsoft 365 enterprises. This post covers three advanced attack techniques active in 2025 red team engagements and nation-state campaigns: device code flow phishing, access token theft from browser memory, and Primary Refresh Token abuse for persistent access.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 11, 2025 · 11 min read

Azure Entra ID is the authentication and authorization layer for over 700 million monthly active users. When attackers target Microsoft 365 enterprises, they do not break down the door — they walk through the identity plane. The three techniques covered in this post represent the methods most commonly documented in 2025 threat intelligence: device code flow phishing, access token theft from browser memory, and Primary Refresh Token extraction from Windows endpoints.

All three techniques share a design principle: they bypass MFA by targeting the artifact that MFA produces — the token — rather than the authentication ceremony itself. Phishing-resistant MFA defeats the ceremony but does not protect tokens that have already been issued. Once a valid access token or PRT is in an attacker's hands, the Microsoft authentication stack treats them as a legitimate session.

Phishing-resistant MFA protects the authentication ceremony. It does not protect the token that ceremony produces. Token theft skips the ceremony entirely.

Technique 1 — device code flow phishing

The OAuth 2.0 device code flow is designed for devices without keyboards — smart TVs, IoT devices — that cannot display a full browser. The device requests a user code from Microsoft, displays it to the user, and the user authenticates on a separate device. Once the user completes authentication, the device receives a refresh token.

Attackers abuse this flow by initiating the device code request themselves and embedding the user code in a phishing email. The victim visits the legitimate microsoft.com URL, enters a code that looks valid, and completes MFA. The attacker's polling loop receives the resulting tokens. The victim authenticated to the real Microsoft site with real MFA — they just handed the session to an attacker.

• Detection: alert on device code flow authentications for users who do not regularly use devices requiring device code flow.
• Mitigation: Conditional Access Policy blocking the device code flow for all users except those with documented use cases.
• Mitigation: Entra ID authentication methods policy restricting device code flow to specific trusted application IDs.

Technique 2 — access token theft from browser memory

Modern web browsers cache Entra ID access tokens and refresh tokens in memory and in browser storage (localStorage, sessionStorage, IndexedDB). Infostealer malware families active in 2025 — Lumma, RedLine variants, Atomic Stealer — specifically target browser profiles to extract these tokens. An access token stolen from browser memory is valid until expiry, typically one hour, but the accompanying refresh token can be used to obtain new access tokens for up to 90 days.

The Family of Client IDs (FOCI) design in Microsoft OAuth amplifies this risk. Applications in the FOCI group share refresh tokens. A token stolen from the browser while the user was in Teams can be refreshed to obtain an Outlook token, a SharePoint token, or an Azure portal token — all from a single stolen artifact.

Technique 3 — Primary Refresh Token extraction and abuse

The Primary Refresh Token is issued to Entra ID-joined Windows devices. It is stored in LSASS memory, protected by the TPM on compliant devices. The PRT can be used to obtain session tokens for any application in the tenant without additional authentication. Tools like ROADtoken and AADInternals can extract PRTs from non-TPM-protected devices or from virtual machines where TPM emulation can be bypassed.

PRT abuse is significant because it survives password resets. The PRT's validity depends on device compliance, not on the user's password. An attacker who extracts a PRT can maintain access even after the victim changes their password and the help desk confirms the account is secured.

1. Require Entra ID-joined devices with TPM 2.0 for all corporate access — prevents PRT extraction on non-hardware-bound devices.
2. Enable Continuous Access Evaluation to force real-time token revocation on risk events.
3. Deploy Microsoft Entra ID Protection with risky sign-in policies that trigger step-up authentication.
4. Monitor for token usage from IP addresses inconsistent with the user's device compliance signals.
5. Use Microsoft Defender for Endpoint integration with Entra ID to revoke sessions on device risk events.

Detection rules for Entra ID token attacks

• SignInLogs: device_code grant type from users without registered device code applications.
• AuditLogs: token refresh activity from IP addresses in different continents within the same session.
• IdentityProtection: impossible travel alerts combined with application access pattern changes.
• Defender for Endpoint: LSASS memory access by non-system processes on Entra ID-joined devices.

Closing

Entra ID attacks in 2025 target the token layer, not the authentication ceremony. Phishing-resistant MFA is necessary but not sufficient. Deploy Continuous Access Evaluation, require TPM-bound device compliance for PRT issuance, monitor for device code flow abuse with Conditional Access, and integrate Defender for Endpoint signals into your identity risk policies. Identity is the perimeter — treat it with the same rigor as your network edge.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.