Cookie-Bite Attack Lets Hackers Bypass MFA and Hijack Cloud Server Access

Researchers from Varonis Threat Labs have disclosed a new attack technique called the “Cookie-Bite Attack,” which enables adversaries to bypass multi-factor authentication (MFA) and gain prolonged, unauthorized access to cloud services by leveraging stolen browser cookies.

This method exploits weaknesses in session management within enterprise platforms such as Microsoft 365 and Azure Entra ID, raising significant alarms for organizations relying on MFA and Conditional Access Policies (CAPs) as their primary security controls.

Advanced Cookie Stealing Tactics Undermine Multi-Factor Authentication Defenses

Traditional infostealer malware has long targeted sensitive data, but recent campaigns now specifically focus on harvesting authentication tokens and session cookies from compromised endpoints.

These authentication artifacts, particularly the ESTSAUTH and ESTSAUTHPERSISTENT cookies used by Azure Entra ID, serve as cryptographic proof that a user has already authenticated with MFA.

Once extracted, these cookies are either sold on darknet markets or directly used by threat actors to impersonate victims, providing seamless access to cloud infrastructure and services without triggering further login or verification prompts.

The Cookie-Bite tactic employs a multi-pronged technical approach. Attackers deploy custom malicious browser extensions, crafted to evade detection, which silently capture authentication cookies each time a user logs into cloud authentication portals such as login.microsoftonline.com.

These extensions leverage privileged access within the browser context, extracting and exfiltrating session cookies via automated scripts or covert channels, such as web forms or online storage services.

PowerShell automation further enables persistent deployment of these extensions, ensuring continuous cookie extraction even if the browser is restarted or the endpoint is rebooted.

Malicious Extensions and Automation Enable Persistent Cloud Account Compromise

Once the attacker has harvested valid session cookies, they can inject them into their own browser instances using tools like Cookie-Editor.

This cookie injection replicates the victim’s authenticated session including device, browser fingerprint, and operating system details thus evading many Conditional Access Policies.

By mimicking the legitimate user’s context, cybercriminals sidestep standard anomaly detection mechanisms and maintain long-term persistence within targeted cloud environments.

The demonstration by Varonis researchers revealed that session hijacking not only bypasses MFA but also allows access to a range of enterprise applications, including Microsoft Outlook, Teams, and SharePoint.

Attackers can leverage Azure Graph Explorer and other post-exploitation toolkits (such as ROADtools and AADInternals) to enumerate users, devices, and escalate privileges laterally across the victim’s cloud tenant.

Crucially, these techniques require neither the user’s credentials nor a detectable malware infection, making standard endpoint protection solutions ineffective against this class of threat.

While Conditional Access Policies and device compliance checks provide some mitigation, sophisticated attackers can gather detailed host and network fingerprints to further impersonate the victim and bypass location or device restrictions.

This highlights an urgent need for organizations to continuously monitor for abnormal session activity, enforce strict extension allowlisting through browser policies, and consider deploying advanced token protection mechanisms that bind authentication tokens more tightly to user context and device.

The Cookie-Bite Attack underscores an emerging reality: stolen session cookies have become “keys to the kingdom” in the cloud era.

Defending against such attacks will require not just robust authentication, but also vigilant behavioral monitoring and rigorous control over endpoint browser environments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates