So it turns out that Microsoft ended up publishing a blog on token theft security last year and they include detection and mitigation guidance for this kind of attack: www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/ Mitigation is the easier part of the problem and basically boils down to implementing conditional access policies for user logins and revoking refresh tokens if you suspect a user has been compromised. The blog goes into detail on this. Detection is a harder problem to approach and the blog calls out that Entra Identity Protection and Defender for Cloud Apps *should* both catch a token replay attack like this and they can flag it as an anomalous sign-in, but I'm skeptical.

@@huskyhacks I will review the article. Thank you very much Husky! 👍

tyty king

What's the audience for that token and which resource are you trying to access?

Not sure about the audience, but the token is for outlook for sure.

@@cyberus15 Unfortunately, the Outlook API was deprecated sometime last year learn.microsoft.com/en-us/previous-versions/office/office-365-api/api/version-2.0/use-outlook-rest-api You might be able to get lucky and find an older on-prem Exchange server that still uses the API but I haven't tested that. Your best bet is to hunt for Graph API tokens and use those