Cookie-Bite Attack Let Threat Actors Bypass MFA & Maintain Access

A sophisticated attack technique dubbed “Cookie-Bite” enables cybercriminals to silently bypass multi-factor authentication (MFA) and maintain persistent access to cloud environments.

Varonis Threat Labs revealed that attackers leverage stolen browser cookies to impersonate legitimate users without requiring credentials, effectively rendering traditional MFA protections obsolete.

The attack targets critical authentication cookies, particularly ESTSAUTH and ESTSAUTHPERSISTENT, which are used by Azure Entra ID (formerly Azure Active Directory). These cookies maintain authenticated cloud sessions and enable access to Microsoft 365, Azure Portal, and various enterprise applications.

“By hijacking these session tokens, attackers can bypass MFA, impersonate users, and move laterally across cloud environments,” explained researchers. “This makes them one of the most valuable targets for infostealers and threat actors.”

Cybercriminals employ multiple methods to steal these authentication cookies, including:

• Adversary-in-the-Middle (AITM) attacks using reverse proxy tools to intercept cookies in real-time.
• Browser process memory dumping to extract decrypted cookies from active sessions.
• Malicious browser extensions that access cookies directly within the browser’s security context.
• Decrypting locally stored browser cookie databases.

Researchers’ proof-of-concept demonstrated how attackers can create custom Chrome extensions that silently extract authentication cookies whenever users log in to Microsoft’s authentication portal.

These cookies are then exfiltrated to attacker-controlled servers and can be injected into the threat actor’s browser to gain immediate access to the victim’s cloud session.

Persistent Access Without Credentials

What makes Cookie-Bite particularly dangerous is its persistent nature. Unlike traditional credential theft, this technique doesn’t require knowing the victim’s password or intercepting MFA codes. Once deployed, the malicious extension continues extracting fresh authentication cookies each time the victim logs in.

“This technique ensures that valid session cookies are continuously extracted, providing long-term unauthorized access even if passwords are changed or sessions are revoked,” researchers noted.

More concerning is the attack’s ability to circumvent Conditional Access Policies (CAPs), which organizations deploy as an additional security layer.

Attackers can accurately mimic legitimate access patterns by collecting details about the victim’s environment, including domain, hostname, operating system, IP address, and browser fingerprint.

With successful authentication, attackers gain access to critical enterprise applications like Microsoft Graph Explorer, allowing them to enumerate users, access emails, and potentially escalate privileges within the organization.

Security experts recommend several countermeasures to protect against Cookie-Bite attacks:

• Continuously monitor for abnormal user behavior patterns and suspicious sign-ins.
• Utilize Microsoft Risk detection capabilities during sign-in events.
• Configure Conditional Access Policies that enforce login from compliant devices only.
• Implement Chrome policies to restrict browser extensions to an approved allowlist.
• Deploy token protection mechanisms to detect and prevent token theft.

As cloud adoption accelerates, these cookie hijacking techniques highlight the evolving nature of authentication-based attacks. Organizations must adapt their security postures to address these sophisticated threats that target the fundamental trust mechanisms of cloud authentication systems.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy