In spite of widespread adoption of multi-factor authentication (MFA) across enterprise environments, security researchers have identified a concerning new attack vector dubbed “Cookie-Bite,” which allows threat actors to bypass MFA protections entirely through the exploitation of authentication cookies. The attack utilizes malicious browser extensions to persistently harvest authentication cookies from active browser sessions, particularly targeting Azure Entra ID and Microsoft 365 environments, though the methodology applies broadly to cloud services using similar authentication mechanisms.
The exploit’s effectiveness lies in its ability to maintain unauthorized access without requiring user credentials or MFA codes, as attackers can simply inject stolen cookies into their browsers for session hijacking. Once the malicious extension is installed, it operates silently in the background, continuously exfiltrating fresh session cookies to attacker-controlled servers each time the victim logs in, effectively nullifying even password resets and session revocation attempts. The Malware-as-a-Service model enables cybercriminals to easily purchase and deploy these cookie-stealing capabilities through established underground marketplaces. The attack specifically targets two critical authentication cookies, ESTSAUTH and ESTSAUTHPERSISTENT, which are essential for maintaining user sessions.
Organizations face significant risk as the attack grants immediate access to critical cloud services, including Microsoft 365, Outlook, Teams, and Microsoft Graph Explorer. Threat actors can enumerate users, access sensitive communications, and potentially escalate privileges within enterprise tenants, all during the maintenance of a low detection profile by mimicking legitimate device and session characteristics. Advanced real-time protection systems like Bitdefender process billions of daily threat queries to combat such sophisticated attacks.
The technical implementation involves a sophisticated proof-of-concept comprising a custom Chrome extension that monitors authentication events and captures cookies, deployed through automated PowerShell scripts for persistence. The attack’s stealthy nature, combined with its ability to circumvent Conditional Access Policies by replicating legitimate user patterns, poses substantial challenges for incident detection and response teams.
Security experts highlight that traditional security tools focusing solely on credential-based threats may fail to detect these cookie-based attacks, drawing attention to the urgent need for improved monitoring solutions and security controls designed to identify and prevent cookie theft and manipulation.
The exploit’s emergence reveals the evolving nature of cloud security threats and the limitations of relying exclusively on MFA for access control.
