Microsoft Entra multiple revoked token replay attempts
Description
AlphaSOC detected multiple attempts to use Microsoft Entra tokens that have been revoked. When a token is revoked through session invalidation, credential rotation, or a sign-out event, subsequent attempts to use that token fail. Multiple failed replay attempts using the same revoked token indicate that a threat actor is in possession of stolen tokens and is actively trying to establish a session using credentials that are no longer valid.
Impact
While repeated use of a revoked token is ultimately unsuccessful, this pattern confirms that an attacker has obtained valid session tokens from the target account. The attacker may pivot to using other stolen tokens, attempt to re-phish the victim, or exploit other cached credentials. The pattern also indicates active attacker engagement with the target environment and warrants immediate investigation to determine the scope of the initial compromise.
Severity
| Severity | Condition |
|---|---|
Low | Multiple replay attempts detected using a single revoked token |
Investigation and Remediation
Review Entra sign-in logs to identify the revoked token and the source IP addresses used in the replay attempts. Determine how the token was originally issued and when it was revoked. Investigate the user account for evidence of prior token theft, such as sign-ins from unexpected locations or device code authentication events. Ensure all active sessions are terminated, reset the user's credentials, and review connected applications for unauthorized OAuth consent grants.