BotBeat
...
← Back

> ▌

MicrosoftMicrosoft
RESEARCHMicrosoft2026-03-12

Critical Azure Active Directory Vulnerability Discovered: Family Refresh Tokens Enable Unauthorized Persistence

Key Takeaways

  • ▸Azure AD contains undocumented family refresh token functionality that deviates from OAuth 2.0 standards, allowing cross-client token redemption
  • ▸Attackers can exploit family refresh tokens through device code phishing and SSO abuse to gain persistent access to Microsoft 365 and Azure resources
  • ▸The vulnerability enables privilege escalation and lateral movement across Microsoft cloud services by obtaining bearer tokens as different client applications
Source:
Hacker Newshttps://github.com/secureworks/family-of-client-ids-research↗

Summary

Security researchers at Secureworks discovered a critical undocumented functionality in Azure Active Directory that allows attackers to abuse "family refresh tokens" to gain unauthorized access to Microsoft cloud resources and establish persistence. The vulnerability, identified in 2022, exploits a quirk in Microsoft's OAuth 2.0 implementation where a group of Microsoft OAuth client applications can obtain special family refresh tokens that can be redeemed for bearer tokens as any other client in the family. This represents a significant deviation from the OAuth 2.0 specification and creates multiple attack vectors for privilege escalation and lateral movement. The researchers documented various attack paths including device code phishing and single sign-on abuse, while also providing mitigation strategies such as conditional access policies, sign-in log auditing, and refresh token revocation.

  • Mitigation requires implementation of conditional access policies, comprehensive sign-in log auditing, and proactive refresh token revocation strategies

Editorial Opinion

This discovery highlights a critical gap between OAuth 2.0 specification compliance and real-world implementation practices at scale. While Microsoft's modifications to support enterprise-scale services may have operational benefits, the undocumented nature of family refresh tokens and their security implications represent a significant risk that should have been disclosed more transparently. Organizations relying on Azure AD need to immediately review their access controls and implement the recommended mitigations to protect against this attack vector.

CybersecurityAI Safety & AlignmentPrivacy & Data

More from Microsoft

MicrosoftMicrosoft
RESEARCH

Microsoft's Leaked 'Aion' Project Reveals Vision for Copilot-First Operating System

2026-07-04
MicrosoftMicrosoft
PRODUCT LAUNCH

Microsoft Launches $2.5B Frontier Company for Enterprise AI Deployments

2026-07-02
MicrosoftMicrosoft
RESEARCH

Microsoft's Leaked 'Project Aion' Reveals Radical Copilot-First OS Without Start Menu

2026-07-02

Comments

Suggested

LLM Agent EcosystemLLM Agent Ecosystem
RESEARCH

Researchers Expose Critical Payload-Less Attack on LLM Agent Supply Chains

2026-07-04
OpenAIOpenAI
INDUSTRY REPORT

Investigation Uncovers AI-Generated Deepfakes in Lily Jay Foundation Charity Fraud

2026-07-04
AppleApple
RESEARCH

Researchers Discover Six Vulnerabilities in Apple AirDrop and Google/Samsung Quick Share Protocols

2026-07-04
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us