Shadow IT Nightmare: Microsoft Graph “Ghost Tokens” quietly persisting after password resets

Attackers are exploiting a logic flaw in Microsoft Entra ID (formerly Azure AD) to maintain permanent access to M365 environments. The vulnerability allows OAuth tokens to survive password resets and “revoke all sessions” commands, turning unmonitored third-party apps into invisible backdoors.

If you or your teams rely on Microsoft 365 and allow users to consent to third-party applications (Shadow IT), this one hit close to home. It fundamentally breaks the standard “account compromise” remediation playbook and shows how Identity has become the new perimeter.

What Happened

On February 12, 2026, Microsoft confirmed a critical vulnerability tracked as CVE-2026-0012 (dubbed the “Ghost Token” flaw).

The vulnerability exists within the Microsoft Graph API’s token refresh mechanism. Normally, when a user changes their password or an administrator clicks “Revoke All Sessions”, all active OAuth refresh tokens are supposed to be invalidated. However, researchers discovered that applications granted the “offline_access” scope combined with specific high-privilege permissions (like Mail.ReadWrite or Files.Read.All) could generate a “Ghost Token.”

This token effectively detaches itself from the user’s core identity lifecycle. Even if the user account is disabled, reset, or secured with MFA, the attacker holding this token retains programmatic access to emails, Teams chats, and SharePoint files.

Microsoft has begun rolling out backend fixes, but they warned that existing tokens generated before the patch are not automatically revoked, leaving thousands of tenants potentially exposed.

Why This Matters to SOC Teams and Security Leaders

Here’s the reality, most organizations treat “Application Consent” as a productivity feature, not a security risk. Yet API-based attacks like this bypass MFA entirely because the “login” happened months ago.

For SOC teams, the impact is operational chaos. The standard incident response procedure Reset Password > Enable MFA > Revoke Sessions is useless here. You are effectively locking the front door while the intruder is already sitting inside, holding a master key that doesn’t fit the lock you just changed.

This isn’t theoretical. With the rise of “Shadow AI” (and employees connecting AI tools to corporate data), a single compromised or malicious AI app could be sucking data out of your environment indefinitely, invisible to standard sign-in logs.

Technical Breakdown

The flaw exploits the interaction between Continuous Access Evaluation (CAE) and legacy OAuth flows.

When an attacker (or a malicious app) requests a token with “offline_access”, they receive a Refresh Token. In a standard flow, Entra ID checks the “StsRefreshTokenValidFrom” timestamp against the user’s “LastPasswordChange” timestamp.

In the CVE-2026-0012 exploit, attackers manipulate the API call to flag the session as a “Non-Interactive Background Process”. Due to the logic error, Entra ID stops checking the password timestamp for these specific sessions.

The result is a zombie session. The attacker does not need to re-authenticate. They simply keep swapping the Refresh Token for a new Access Token every hour, exfiltrating data via simple HTTP GET requests to the Graph API. Because this is “application traffic” and not “user sign-in traffic,” it often bypasses Conditional Access policies geo-fencing logins to specific countries.

Real-World Impact and Patterns

This incident mirrors the evolution of the Midnight Blizzard (Nobelium) attacks, where state-sponsored actors targeted OAuth applications rather than passwords.

We are seeing a clear pattern, attackers are moving away from “breaking in” (brute force/phishing) to “logging in” via abused credentials and APIs. In early 2026 alone, we have seen a 40% spike in “Illicit Consent Grants” phishing attacks designed solely to trick users into granting permissions to a malicious app.

For affected organizations, the “Ghost Token” means that data exfiltration could have been happening for months before detection, attributed to a user who thought they were secure.

Industry Implications

The “Identity Perimeter” is failing. As organizations move to SaaS-first models, the sheer number of connected applications creates an unmanageable attack surface. A

marketing intern granting a “PDF Converter” tool access to their OneDrive can now compromise the entire organization if that tool is weaponized.

This vulnerability forces a shift in mindset: Identity Hygiene is no longer just about strong passwords; it’s about Token Governance.

We’re seeing attackers shift from exploiting software vulnerabilities to exploiting the permissions we willingly grant to software.

Practical Recommendations

Start with the basics that work:

1. Audit “Enterprise Applications” in Entra ID: Immediately review all apps with “offline_access” and high-privilege scopes (Mail.*, Files.*). Remove anything unrecognized.

2. Hunt for “Ghost” Activity: Do not rely on Sign-In Logs. Query the Audit Logs for Application Management events and correlate them with data access volumes in the Graph Activity Logs.

3. Restrict User Consent: Switch your Entra ID setting to “Do not allow users to consent to apps”. Implement an admin workflow for approval.

4. Implement “Hard” Revocation: Use PowerShell to specifically delete the RefreshToken objects for high-risk users, rather than relying on the GUI “Revoke” button.

5. Shorten Token Lifetimes: Configure your Conditional Access session controls to enforce stricter frequency checks for non-managed devices.

Sennovate Expert Perspective: Building Identity Resilience

In our experience helping clients secure M365 environments, relying on Microsoft’s default settings is a gamble. The gap between a “User Identity” and an “Application Identity” is where this vulnerability lives.

We start with Identity Threat Detection and Response (ITDR). We don’t just look for bad logins; we look for anomalous token usage. If a user’s token is accessing SharePoint from a data centre in a country where the user isn’t located, that’s a red flag even if the password wasn’t used.

Application Governance comes next. We help clients implement automated policies that auto-revoke permissions for apps that haven’t been used in 30 days. This reduces the “blast radius” of flaws like CVE-2026-0012.

Finally, Behavioural Baselining is key. In a recent engagement, our SOC flagged a “Ghost Token” because it was downloading files at 3 AM every night a behaviour inconsistent with the human user it was impersonating.

These layered practices ensure that when the platform fails (as it did here), your visibility saves you.

Key Takeaways

· CVE-2026-0012 allows attackers to maintain access to M365 data even after a password reset.

· The flaw exploits “Shadow IT” applications and OAuth tokens, bypassing MFA and standard remediation.

· Standard “Sign-in Logs” will not show this activity; you must monitor Graph API traffic.

· Organizations must move from “User Consent” to “Admin Consent” for third-party applications immediately.

· Security requires visibility into Non-Human Identities (apps, bots, tokens), not just human users.