Why a password reset does not stop a stolen refresh token

The help desk reset the phished user’s password and closed the ticket, but the attacker never logged out.

How the attack works

A user is phished and consents to a malicious OAuth app, or hands a token to a phishing proxy, so the attacker now holds a refresh token for that user. The help desk resets the password and considers the case closed. The refresh token, however, keeps redeeming fresh access tokens, and the attacker continues reading mail and Graph data from an unfamiliar client with no password ever re-entered. The sign-in logs show new access tokens minted for the user after the reset, via refresh-token redemption, with no interactive authentication. In ATT&CK terms this is T1550, Use Alternate Authentication Material, following the theft of an application token (T1528).

Why it works

A refresh token is a long-lived credential that mints access tokens independently of whether the password stays the same. Resetting the password does not revoke refresh tokens, so the assumption that a reset ends the session is simply wrong. The root cause is unrestricted user consent plus that mistaken assumption.

How to fix it

The non-obvious move is that you must explicitly revoke the credential, not the password. Run revokeSignInSessions for the user to invalidate the refresh tokens and existing sessions, remove the malicious app’s consent so it cannot re-mint, and enable Continuous Access Evaluation so revocation takes near-real-time effect rather than waiting for the current access token to expire. Scope what was reached from the sign-in and Graph activity logs across the full window, including after the reset. Then restrict user consent with an admin-consent workflow, review and revoke risky third-party grants, and make token revocation standard incident response.

Practice it

We built this as a GraphLattice Range scenario so responders learn that a reset does not revoke a refresh token, and practice revokeSignInSessions plus Continuous Access Evaluation.