Critical Azure Active Directory Vulnerability Discovered: Family Refresh Tokens Enable Unauthorized Persistence

Summary

Security researchers at Secureworks discovered a critical undocumented functionality in Azure Active Directory that allows attackers to abuse "family refresh tokens" to gain unauthorized access to Microsoft cloud resources and establish persistence. The vulnerability, identified in 2022, exploits a quirk in Microsoft's OAuth 2.0 implementation where a group of Microsoft OAuth client applications can obtain special family refresh tokens that can be redeemed for bearer tokens as any other client in the family. This represents a significant deviation from the OAuth 2.0 specification and creates multiple attack vectors for privilege escalation and lateral movement. The researchers documented various attack paths including device code phishing and single sign-on abuse, while also providing mitigation strategies such as conditional access policies, sign-in log auditing, and refresh token revocation.

• Mitigation requires implementation of conditional access policies, comprehensive sign-in log auditing, and proactive refresh token revocation strategies

Editorial Opinion

This discovery highlights a critical gap between OAuth 2.0 specification compliance and real-world implementation practices at scale. While Microsoft's modifications to support enterprise-scale services may have operational benefits, the undocumented nature of family refresh tokens and their security implications represent a significant risk that should have been disclosed more transparently. Organizations relying on Azure AD need to immediately review their access controls and implement the recommended mitigations to protect against this attack vector.