MITRE ATT&CK Technique
Description
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment. For example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts) Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.(Citation: Cider Security Top 10 CICD Security Risks) If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges. In Azure, an adversary who compromises a resource with an attached Managed Identity, such as an Azure VM, can request short-lived tokens through the Azure Instance Metadata Service (IMDS). These tokens can then facilitate unauthorized actions or further access to other Azure services, bypassing typical credential-based authentication.(Citation: Entra Managed Identities 2025)(Citation: SpecterOps Managed Identity 2022) Token theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019) Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-09-04T15:54:25.684Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries can steal application access tokens as a means of '
'acquiring credentials to access remote systems and '
'resources.\n'
'\n'
'Application access tokens are used to make authorized API '
'requests on behalf of a user or service and are commonly used '
'as a way to access resources in cloud and container-based '
'applications and software-as-a-service (SaaS).(Citation: '
'Auth0 - Why You Should Always Use Access Tokens to Secure '
'APIs Sept 2019) Adversaries who steal account API tokens in '
'cloud and containerized environments may be able to access '
'data and perform actions with the permissions of these '
'accounts, which can lead to privilege escalation and further '
'compromise of the environment.\n'
'\n'
'For example, in Kubernetes environments, processes running '
'inside a container may communicate with the Kubernetes API '
'server using service account tokens. If a container is '
'compromised, an adversary may be able to steal the '
'container’s token and thereby gain access to Kubernetes API '
'commands.(Citation: Kubernetes Service Accounts) \n'
'\n'
'Similarly, instances within continuous-development / '
'continuous-integration (CI/CD) pipelines will often use API '
'tokens to authenticate to other services for testing and '
'deployment.(Citation: Cider Security Top 10 CICD Security '
'Risks) If these pipelines are compromised, adversaries may be '
'able to steal these tokens and leverage their privileges. \n'
'\n'
'In Azure, an adversary who compromises a resource with an '
'attached Managed Identity, such as an Azure VM, can request '
'short-lived tokens through the Azure Instance Metadata '
'Service (IMDS). These tokens can then facilitate unauthorized '
'actions or further access to other Azure services, bypassing '
'typical credential-based authentication.(Citation: Entra '
'Managed Identities 2025)(Citation: SpecterOps Managed '
'Identity 2022)\n'
'\n'
'Token theft can also occur through social engineering, in '
'which case user action may be required to grant access. OAuth '
'is one commonly implemented framework that issues tokens to '
'users for access to systems. An application desiring access '
'to cloud-based services or protected APIs can gain entry '
'using OAuth 2.0 through a variety of authorization protocols. '
"An example commonly-used sequence is Microsoft's "
'Authorization Code Grant flow.(Citation: Microsoft Identity '
'Platform Protocols May 2019)(Citation: Microsoft - OAuth Code '
'Authorization flow - June 2019) An OAuth access token enables '
'a third-party application to interact with resources '
'containing user data in the ways requested by the application '
'without obtaining user credentials. \n'
' \n'
'Adversaries can leverage OAuth authorization by constructing '
'a malicious application designed to be granted access to '
"resources with the target user's OAuth token.(Citation: "
'Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend '
'Micro Pawn Storm OAuth 2017) The adversary will need to '
'complete registration of their application with the '
'authorization server, for example Microsoft Identity Platform '
'using Azure Portal, the Visual Studio IDE, the command-line '
'interface, PowerShell, or REST API calls.(Citation: Microsoft '
'- Azure AD App Registration - May 2019) Then, they can send a '
'[Spearphishing '
'Link](https://attack.mitre.org/techniques/T1566/002) to the '
'target user to entice them to grant access to the '
'application. Once the OAuth access token is granted, the '
'application can gain potentially long-term access to features '
'of the user account through [Application Access '
'Token](https://attack.mitre.org/techniques/T1550/001).(Citation: '
'Microsoft - Azure AD Identity Tokens - Aug 2019)\n'
'\n'
'Application access tokens may function within a limited '
'lifetime, limiting how long an adversary can utilize the '
'stolen token. However, in some cases, adversaries can also '
'steal application refresh tokens(Citation: Auth0 '
'Understanding Refresh Tokens), allowing them to obtain new '
'access tokens without prompting the user. ',
'external_references': [{'external_id': 'T1528',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1528'},
{'description': 'Amnesty International. (2019, August '
'16). Evolving Phishing Attacks '
'Targeting Journalists and Human '
'Rights Defenders from the '
'Middle-East and North Africa. '
'Retrieved October 8, 2019.',
'source_name': 'Amnesty OAuth Phishing Attacks, '
'August 2019',
'url': 'https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/'},
{'description': 'Andy Robbins. (2022, June 6). '
'Managed Identity Attack Paths, Part '
'1: Automation Accounts. Retrieved '
'March 18, 2025.',
'source_name': 'SpecterOps Managed Identity 2022',
'url': 'https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a?gi=6a9daedade1c'},
{'description': 'Auth0 Inc.. (n.d.). Understanding '
'Refresh Tokens. Retrieved November '
'17, 2024.',
'source_name': 'Auth0 Understanding Refresh Tokens',
'url': 'https://auth0.com/learn/refresh-tokens'},
{'description': 'Auth0. (n.d.). Why You Should Always '
'Use Access Tokens to Secure APIs. '
'Retrieved September 12, 2019.',
'source_name': 'Auth0 - Why You Should Always Use '
'Access Tokens to Secure APIs Sept '
'2019',
'url': 'https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/'},
{'description': 'Daniel Krivelevich and Omer Gil. '
'(n.d.). Top 10 CI/CD Security Risks. '
'Retrieved November 17, 2024.',
'source_name': 'Cider Security Top 10 CICD Security '
'Risks',
'url': 'https://web.archive.org/web/20220316130828/https://www.cidersecurity.io/top-10-cicd-security-risks/'},
{'description': 'Hacquebord, F.. (2017, April 25). '
'Pawn Storm Abuses Open '
'Authentication in Advanced Social '
'Engineering Attacks. Retrieved '
'October 4, 2019.',
'source_name': 'Trend Micro Pawn Storm OAuth 2017',
'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks'},
{'description': 'Kubernetes. (2022, February 26). '
'Configure Service Accounts for Pods. '
'Retrieved April 1, 2022.',
'source_name': 'Kubernetes Service Accounts',
'url': 'https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/'},
{'description': 'Microsoft Entra. (2025, February '
'27). How to use managed identities '
'for Azure resources on an Azure VM '
'to acquire an access token. '
'Retrieved March 18, 2025.',
'source_name': 'Entra Managed Identities 2025',
'url': 'https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token'},
{'description': 'Microsoft. (2019, August 29). '
'Microsoft identity platform access '
'tokens. Retrieved September 12, '
'2019.',
'source_name': 'Microsoft - Azure AD Identity Tokens '
'- Aug 2019',
'url': 'https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens'},
{'description': 'Microsoft. (2019, May 8). '
'Quickstart: Register an application '
'with the Microsoft identity '
'platform. Retrieved September 12, '
'2019.',
'source_name': 'Microsoft - Azure AD App '
'Registration - May 2019',
'url': 'https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app'},
{'description': 'Microsoft. (n.d.). Microsoft '
'identity platform and OAuth 2.0 '
'authorization code flow. Retrieved '
'September 12, 2019.',
'source_name': 'Microsoft - OAuth Code Authorization '
'flow - June 2019',
'url': 'https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow'},
{'description': 'Microsoft. (n.d.). Retrieved '
'September 12, 2019.',
'source_name': 'Microsoft Identity Platform '
'Protocols May 2019',
'url': 'https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols'}],
'id': 'attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:49:04.660Z',
'name': 'Steal Application Access Token',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Suzy Schapperle - Microsoft Azure Red Team',
'Shailesh Tiwary (Indian Army)',
'Mark Wee',
'Jeff Sakowicz, Microsoft Identity Developer '
'Platform Services (IDPM Services)',
'Saisha Agrawal, Microsoft Threat Intelligent Center '
'(MSTIC)',
'Ram Pliskin, Microsoft Azure Security Center',
'Jack Burns, HubSpot',
'Arun Seelagan, CISA',
'Eliraz Levi, Hunters Security',
'Alon Klayman, Hunters Security'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['SaaS',
'Containers',
'IaaS',
'Office Suite',
'Identity Provider'],
'x_mitre_version': '1.5'}