A better way to attack Microsoft Azure AD with temporary access passes

Microsoft's TAPs were designed to simplify passwordless authentication, but they can also be used by attackers to bypass MFA.

Even if an administrator goes in and deletes the TAP, an attacker could still maintain access to the user account. In the process of the OAuth On-Behalf-Of (OBO) flow, we have somehow removed the correlation between the Temporary Access Passes (TAP) and the refresh token, a process I (Daniel Heinsen, SpecterOps) am calling « OBO persistence ».

Granted, in this scenario, you only have access to APIs that don't require admin consent, but that's enough to read the users email, Teams messages, OneNote notes, and calendar. In order to revoke this access, an administrator will need to revoke all the user refresh tokens.

🛠 obo-wash

Inscrivez-vous pour prendre part à la conversation

Comme le soleil, les machines ne se couchent jamais.