M365-TOKEN-EXFILCredential Access

AAD Token Cache Exfil

Extract refresh tokens / FOCI tokens from a user's TokenCache.dat / WAM broker — replay against any Family Of Client IDs app.

§ Where this technique fits

M365-TOKEN-EXFIL is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

OAuth device-code phishing → M365 access without a fake page
Initiate a device-code flow against login.microsoftonline.com; send the code + url to the victim via email or chat. Once they enter it, attacker gets access + refresh tokens.
step 4 / 6

§ What commonly comes next

01
Exchange Web Services (EWS) Exfil
M365-EWS-EXFIL · Collection
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

OAuth device-code phishing → M365 access without a fake page

§ What commonly comes next