Listen to this Post
Introduction
Cybersecurity threats continue to evolve, with new attack vectors and methods emerging regularly. One of the most insidious attacks uncovered recently involves the “Cookie-Bite” proof-of-concept, which leverages a browser extension to steal session cookies and bypass multi-factor authentication (MFA). This attack targets Microsoft’s cloud-based identity and access management system, Azure Entra ID, enabling hackers to maintain persistent access to cloud services like Microsoft 365, Outlook, and Teams. While cookie-stealing attacks are not new, the stealthy nature of Cookie-Bite and its ability to sidestep MFA protections have made it a noteworthy concern for cybersecurity professionals.
Cookie-Bite Attack Explained
The Cookie-Bite attack exploits a malicious Chrome extension designed to steal authentication cookies from Azure Entra ID, Microsoft’s cloud identity service. This extension specifically targets two key session cookies: ESTAUTH and ESTSAUTHPERSISTENT. These cookies are integral to session management after users complete MFA processes.
- ESTAUTH: This transient session token is issued once MFA is successfully completed. It remains valid for 24 hours or until the browser is closed.
- ESTSAUTHPERSISTENT: This cookie is the persistent session version, often created when a user selects the “Stay signed in” option or when Azure applies the Keep Me Signed In (KMSI) policy. This token can last for up to 90 days, maintaining seamless access for the user.
When the malicious extension is installed, it listens for login events that occur on Microsoft login URLs. Upon detecting a valid login, it extracts the cookies related to Microsoft services and sends them to the attacker via a Google Form, evading detection by most security systems.
Interestingly, while this attack was demonstrated on Microsoft services, the same method could be adapted to target cookies for other services such as Google, Okta, and AWS.
The real danger comes from the ability of the attackers to inject stolen cookies back into the browser using tools like the legitimate Cookie-Editor Chrome extension. Once the cookie is injected, the victim’s session is effectively hijacked, bypassing MFA protections. This grants the attacker full access to the victim’s cloud services, including Microsoft Teams, Outlook, and even administrative functions like user enumeration and privilege escalation.
Moreover, this attack is made even more persistent as threat actors can use a PowerShell script to ensure the malicious extension is re-injected each time the browser is launched, without user awareness. Varonis researchers also noted that no security vendors flagged the extension as malicious when tested on VirusTotal, highlighting the attack’s stealth.
What Undercode Say:
The Cookie-Bite attack demonstrates a chilling ability to bypass the latest security measures such as MFA and session management protocols. While session hijacking and cookie theft are common tactics in the cybercrime world, this attack stands out due to its combination of persistence, stealth, and ease of execution. By embedding malicious functionality into what appears to be a legitimate browser extension, attackers can evade traditional detection methods, making it challenging for both users and security professionals to defend against.
A major issue here is the reliance on the “Stay Signed In” feature, which, while convenient, can become a vulnerability if targeted by attackers. This is particularly concerning in environments like Microsoft 365, where access to critical organizational data can be manipulated once a session is hijacked. The seamless integration of this attack method into everyday browser extensions makes it an especially dangerous vector for companies that rely heavily on cloud-based tools.
The fact that this attack also allows for the injection of cookies using legitimate extensions, such as Cookie-Editor, raises alarms about the level of access attackers could gain once they’ve established persistence on a target machine. With full access to a compromised account, adversaries can perform a variety of malicious actions, from reading emails to registering new apps within the enterprise environment, thus leading to further breaches.
Moreover, the low detection rate of the attack underscores the difficulty of identifying and preventing these types of attacks in real-world environments. Even when an attack is flagged, monitoring solutions are often too reactive, failing to prevent the initial breach. This highlights the need for stronger preventative measures, such as more stringent conditional access policies (CAP), multi-layered endpoint security, and better monitoring of login patterns.
On the defense side, enforcing Chrome ADMX policies to restrict extensions to pre-approved ones and disabling Developer Mode is an important step for enterprises. By limiting which extensions can run on corporate devices, organizations can mitigate the risk of malicious extensions like Cookie-Bite from ever reaching their users.
Fact Checker Results
- The article accurately highlights how the Cookie-Bite attack works by targeting session cookies in Microsoft Azure Entra ID and bypassing MFA.
- The potential to modify this attack for other services like Google, Okta, and AWS is valid and supported by security research.
- Recommendations to mitigate this attack, such as enforcing strict Chrome ADMX policies and using conditional access, are relevant and practical countermeasures for organizations.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2





