Cookie Bite Attack Exposes MFA Flaw in Microsoft 365

When MFA Isn't Enough: The Rise of Cookie Bite

You log into your Microsoft 365 account, breeze through multi-factor authentication (MFA), and feel secure. But while you're at ease, someone else quietly slips in through the back door—no alarms, no malware alerts—just a stolen session cookie turning your session into their playground.

Welcome to Cookie Bite, a sophisticated attack technique developed as a proof-of-concept (PoC) by Varonis Threat Labs. Cookie Bite uses browser extensions and automation scripts to steal session cookies and maintain unauthorized access to cloud services like Outlook and Teams. It’s not just clever—it’s alarmingly hard to detect.

1. Cookie Bite 101: The Cookie That Grants Total Access

What is Cookie Bite?

It’s a session hijacking attack targeting Azure Entra ID (formerly Azure Active Directory), the identity provider behind Microsoft 365.

It exploits two critical authentication cookies:

• ESTSAUTH: Temporary session validation cookie (expires when the browser closes)
• ESTSAUTHPERSISTENT: Long-lived cookie for users who select "Stay signed in"

By stealing these cookies, attackers bypass MFA entirely—replaying valid sessions without needing your credentials.

2. The Mechanics of a Silent Invasion: How Cookies Are Stolen

The Varonis PoC showed exactly how devastatingly easy this can be:

• A malicious Chrome extension monitors login activity and extracts session cookies in real time.
• A PowerShell script auto-loads this extension using Developer Mode every time Chrome starts.
• Cookies are exfiltrated silently—sometimes even using seemingly benign platforms like Google Forms.
• Attackers then use tools like Cookie-Editor to inject these cookies into their own browsers, hijacking active sessions effortlessly.

Every login refreshes their access - You keep logging in, they keep slipping in.

3. Beyond Cookie Bite: Other Methods of Session Hijacking

Cookie theft isn't limited to this one method. Attackers are getting creative:

• Infostealers: Scrape browser memory for plaintext cookies.
• Adversary-in-the-Middle (AITM) Proxies: Intercept authentication cookies during login.
• Dark Web Markets: Trade stolen authentication tokens and fingerprints.
• Malicious Extensions: Use excessive permissions to quietly lift session data.

The common theme? - Bypass credentials. Exploit sessions. Sidestep MFA.

4. Post-Login Mayhem: What Attackers Can Do

Once inside, attackers gain full user privileges. They can:

• Access Outlook: Read, forward, and send emails.
• Join Microsoft Teams: Impersonate users in chats and meetings.
• Map Internal Infrastructure: Using tools like Graph Explorer.
• Escalate Privileges: With tools like ROADtools and AADInternals.
• Establish Persistence: By registering malicious apps or adding backdoors.

Worse yet, because they’re using your authenticated session, their activities blend seamlessly into legitimate traffic, making detection incredibly difficult.

5. Why Cookie Bite Is So Dangerous

Unlike traditional malware:

• No binaries or executables.
• No credential theft.
• No obvious system changes.

It’s a browser-level persistence that evades most endpoint detection and response (EDR) tools. Security tools are looking for malware; attackers are stealing cookies.

6. How to Defend Against Cookie Bite Attacks

You can’t rely on MFA alone anymore. Here's what smart defenders are doing:

Adopt a Zero Trust Model: Use solutions like PureAuth to enforce logins only from authorized, compliant, and healthy devices.

Use Microsoft Risk-Based Detection: Set up alerts for atypical login behavior that may signal session hijacking.

Lock Down Chrome Extensions: Restrict allowed extensions via ADMX policies—only allow vetted, secure add-ons.

Block Developer Mode in Chrome: Prevent sideloading of unsigned extensions through policy enforcement.

Monitor Azure and Cloud Logs: Actively watch for suspicious session activities that might otherwise be missed.

Final Takeaway: Securing the Future Means Securing the Session

Cookie Bite is not just a clever exploit—it’s a signpost for the future of cybersecurity. Authentication alone is no longer enough. Attackers aren’t breaking in by smashing down doors; they’re walking through them with stolen keys, blending in, operating silently. The next era of security isn't about better passwords or even stronger MFA. It's about continuous trust verification, session protection, and relentless monitoring. If your defenses stop at login, you’ve already lost.

In a world where attackers move faster than policies, your survival depends on evolving faster than their imagination.
Secure the session. Harden the browser. Assume every interaction is a battlefield. Because in this new landscape, it’s not just about keeping intruders out. It’s about ensuring they were never inside to begin with.