Password resets can fail because the attacker may already hold valid refresh tokens. If those tokens are not explicitly revoked, the attacker can keep accessing mail, files, and identity-linked services even after the password changes. Containment has to address the session, not only the credential.
Why This Matters for Security Teams
In Microsoft 365 incidents, password resets are often treated as the finish line when they are only one control point. If an attacker has already captured a refresh token, session cookie, or OAuth grant, changing the password does not necessarily sever access to mail, files, or identity-linked services. That is why current guidance for cloud compromise response emphasizes session invalidation, token revocation, and tenant-wide review, not just credential replacement.
This matters because attackers increasingly operate through the identity layer, not through interactive logins. Once persistence exists in the session plane, defenders can believe the account is recovered while access continues silently in the background. NHI Management Group has repeatedly documented how modern identity abuse moves faster than manual containment, including in the Microsoft Midnight Blizzard breach coverage and the broader 52 NHI Breaches Analysis.
For Microsoft 365, the practical lesson is that compromise response must target every active credential path, including delegated access and long-lived application trust. In practice, many security teams discover this only after mailbox rules, token replay, or data exfiltration has already continued post-reset, rather than through intentional session-level containment.
How It Works in Practice
A password reset changes the user’s primary secret, but it does not automatically invalidate every artifact an attacker may already hold. In Microsoft 365, those artifacts can include refresh tokens, active sessions, app passwords, OAuth consents, and cached access tokens. The attacker may not need to log in again with the password at all. They simply continue to exchange a valid refresh token for new access tokens until the session is explicitly revoked.
That is why incident response should focus on the full identity chain. A practical containment sequence usually includes password reset, force sign-out, token/session revocation, review of OAuth app grants, mailbox rule inspection, conditional access reassessment, and checking for newly created forwarding rules or delegated permissions. Microsoft’s own incident response guidance for cloud identity and the broader session-control model used in Zero Trust both point to this reality, and NIST’s Zero Trust Architecture guidance reinforces that trust should be re-evaluated at each access request, not assumed after authentication. See NIST SP 800-207 Zero Trust Architecture and Anthropic’s AI-orchestrated cyber espionage report for the operational context of identity abuse at machine speed.
- Revoke refresh tokens and active sessions, not only the password.
- Audit OAuth consented applications and service principals for unexpected grants.
- Check mailbox rules, forwarding settings, and delegated access for persistence.
- Validate whether legacy protocols or app passwords remain enabled.
- Review sign-in logs for impossible travel, token replay, and unfamiliar device IDs.
NHIMG’s Microsoft Azure OpenAI service breach coverage shows the same pattern in a different context: once an identity path is trusted, attackers prefer persistence over noisy re-entry. These controls tend to break down when legacy authentication, unmanaged endpoints, or consented third-party apps remain active because those paths bypass the clean assumptions of a simple password change.
Common Variations and Edge Cases
Tighter session control often increases operational overhead, requiring organisations to balance faster containment against user disruption and help-desk load. That tradeoff is especially visible in hybrid Microsoft 365 environments where Entra ID sign-in policies, device compliance, and legacy Exchange or IMAP access all coexist.
Best practice is evolving, but there is no universal standard for whether every incident should trigger blanket tenant-wide sign-out or selective revocation. In high-confidence compromise cases, broad revocation is safer. In lower-confidence cases, scoped revocation may be preferred to avoid unnecessary outage. The key is to treat refresh tokens, consent grants, and service principals as first-class persistence mechanisms, not as implementation details.
Edge cases also matter. A password reset may appear successful while an attacker still has access through a newly authorized OAuth app, a compromised help-desk workflow, or a synced identity in another directory. That is why identity recovery should include both human account cleanup and application trust review. NHI Management Group’s guidance across the Ultimate Guide to NHIs and the DeepSeek breach reinforces a consistent point: durable compromise usually survives at the identity perimeter, not the password field.
In practice, password resets fail most often when defenders close the account but leave the session, consent, or delegated trust untouched.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses token and secret lifecycle issues that let access survive a password reset. |
| NIST CSF 2.0 | PR.AC-1 | Access control must cover sessions and tokens, not only initial authentication. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires re-evaluating trust at each request, which passwords alone do not do. |
Treat every token exchange as a fresh authorization decision and revoke trust immediately on compromise.
