Cookie-Bite Attack Enables MFA Bypass and Persistent Cloud Server Access

Researchers have exposed a sophisticated cyberattack technique dubbed the “Cookie-Bite Attack,” which allows adversaries to bypass Multi-Factor Authentication (MFA) and maintain persistent access to cloud servers such as Microsoft 365, Azure Portal, and Teams.

This method leverages stolen browser cookies, specifically targeting Azure Entra ID authentication tokens like ESTSAUTH and ESTSAUTHPERSISTENT, to impersonate legitimate users without triggering security alerts.

By exploiting these session cookies, attackers can seamlessly access high-value enterprise applications, posing a severe risk to corporate networks worldwide.

Technical Depth of Session Hijacking

The Cookie-Bite Attack operates through a combination of infostealer malware, custom malicious browser extensions, and automation scripts to extract authentication cookies directly from a victim’s browser.

Infostealers infiltrate systems to steal sensitive data, including session tokens, which are often sold on darknet marketplacvares under a Malware-as-a-Service (MaaS) model.

Techniques like Adversary-in-the-Middle (AITM) phishing, browser process memory dumping, and decryption of locally stored cookies enable attackers to capture these tokens in plaintext.

A proof-of-concept (PoC) detailed by the researchers showcases a custom Chrome extension that monitors login events on Microsoft’s authentication portal, exfiltrating cookies to an external server via Google Forms.

A complementary PowerShell script automates deployment, ensuring persistence, while tools like Cookie-Editor facilitate injecting stolen cookies into the attacker’s browser for session hijacking.

According to the Report, this approach bypasses MFA by reusing valid session tokens, which Azure Entra ID recognizes as pre-authenticated, eliminating the need for further credential prompts.

Post-exploitation, attackers can access enterprise applications like Outlook or SharePoint via Microsoft Graph API, enumerate users, exfiltrate data, or escalate privileges using tools such as TokenSmith and AADInternals to manipulate OAuth tokens and extract refresh tokens for extended access.

Even with Conditional Access Policies (CAPs) in place, which restrict access based on location or device compliance, attackers can evade detection by mimicking the victim’s environment collecting data like IP addresses, browser versions, and user agents to simulate legitimate requests.

The stolen ESTSAUTHPERSISTENT cookie, valid for up to 90 days when “Keep Me Signed In” is enabled, acts as a long-term key to the cloud infrastructure, enabling continuous unauthorized access.

This persistent threat extends beyond initial breaches, allowing lateral movement within tenants, data manipulation, and potential full network compromise.

To combat this, organizations must enhance monitoring for abnormal user behavior, leverage Microsoft Risk detection for sign-in anomalies, and enforce CAPs tied to compliant devices with Token Protection.

Implementing Chrome ADMX policies to restrict browser extensions to an approved list is also critical.

The Cookie-Bite Attack underscores a chilling reality: traditional defenses like MFA are no longer sufficient against evolving session hijacking techniques.

As attackers refine their methods to exploit browser-based vulnerabilities, enterprises must adopt proactive, multi-layered security strategies to safeguard their cloud environments from such stealthy and persistent threats.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!