The security environment for Microsoft cloud services has been considerably compromised by a newly identified cyber threat known as the “cookie-bite attack.” This sophisticated technique particularly targets multi-factor authentication (MFA) mechanisms employed across platforms such as Microsoft 365, Teams, and SharePoint. In contrast to the intention of MFA to provide additional protection against unauthorized access, the cookie-bite attack circumvents these defenses through the exploitation of session cookies issued during the MFA process.
A new cyber threat, the “cookie-bite attack,” undermines MFA security for Microsoft cloud services by exploiting session cookies.
Attackers particularly focus on persistent session cookies, significantly those associated with Azure Entra ID, such as ESTSAUTH and ESTSAUTHPERSISTENT. These cookies allow attackers to maintain access to a victim’s account without the need for repeated authentication or MFA prompts. Common methods for stealing these cookies include malicious browser extensions, phishing schemes, and infostealer malware. A significant concern for millions of organizations using Azure Entra ID for identity management.
After extraction, these cookies are transferred to attacker-controlled locations, enabling session hijacking without triggering any MFA alerts. Modern signature-based detection methods employed by antivirus solutions can help identify and block cookie theft attempts before they succeed.
Security researchers, including those from Varonis, have developed a proof of concept demonstrating the effectiveness of these malicious Chrome extensions. Once installed, these extensions silently monitor browser activity, capturing authentication session cookies and ensuring ongoing persistence through automated PowerShell scripts. As a result, when attackers import the stolen cookies into their own browsers, they can easily access victims’ Microsoft cloud accounts, enjoying uninterrupted access to sensitive information.
The stealth of this attack poses a significant threat to organizations that rely on Microsoft cloud services. As attackers exploit session hijacking, they gain heightened privileges, which may lead to data exfiltration, administrative actions, or lateral movement within cloud applications. Additionally, typical detection methods fail to identify unusual behavior, leaving organizations vulnerable to prolonged attacks.
To mitigate such threats, organizations are advised to implement stricter policies regarding browser extensions, continuously monitor session activities, and utilize endpoint detection tools. Regular reviews and rotations of session tokens, especially for sensitive accounts, can improve security.
The cookie-bite attack represents a troubling evolution in cyber threats, emphasizing the urgent need for comprehensive security strategies in cloud environments.
