Adopting security features like multi-factor authentication (MFA) is a crucial strategy for thwarting would-be cyber criminals from stealing data, but a recent study by security firm Varonis shows it might not be enough.
Devising a proof-of-concept mock attack, researchers showed how session hijacking can grant unauthorized access to Microsoft 365 applications and enable privilege escalation, despite using MFA.
This sophisticated session-hijacking technique, known as a cookie-bite, compromises Microsoft Entra ID (formerly Azure Active Directory) and Microsoft 365 environments by exploiting session cookies to bypass MFA. Attackers then gain unauthorized, persistent access to cloud services without needing user credentials.
The threat has serious implications for organizations relying on Entra ID for cloud identity and access management. But with some foresight and defensive thinking, even this cookie will crumble.
How the Cookie-Bite attack works
Researchers at Varonis identified that the attack targets two specific Azure Entra ID session cookies: ESTSAUTH and ESTSAUTHPERSISTENT. These cookies are issued after successful authentication and MFA validation, maintaining user sessions across Microsoft 365 applications like Outlook, Teams and SharePoint.
Attackers deploy malicious browser extensions or malware to extract these cookies from a victim's browser. Once they’re in the hands of a bad actor, the cookies are imported into the attacker's browser, effectively hijacking the session and granting access to the user's account without triggering MFA alerts. Because these tokens represent already-authenticated sessions, the usual login safeguards are entirely bypassed.
Target: Microsoft Entra ID and 365
Microsoft Entra ID is the backbone of identity for Microsoft 365. Once attackers gain a foothold using stolen cookies, they can exploit trusted sessions to access corporate email, documents, Teams chats, and administrative tools. With the right permissions, they can escalate access, manipulate configurations, or conduct reconnaissance without raising alarms.
Risks and implications
The stealthy nature of the Cookie-Bite attack makes it particularly dangerous. Let’s look at why.
- Bypassing MFA: Since the attack leverages existing authenticated sessions, it sidesteps MFA protections, allowing attackers to access accounts without additional verification.
- Persistent access: The ESTSAUTHPERSISTENT cookie can remain valid for up to 90 days, enabling long-term unauthorized access if not revoked.
- Stealthy intrusion: The use of browser extensions and session cookies makes the attack difficult to detect, as it doesn't involve traditional phishing or malware.
- Potential for lateral movement: Once inside, attackers can perform reconnaissance, escalate privileges, and move laterally within the organization's network.
Mitigation strategies
Security experts recommend a multi-layered approach to protect against this class of attack.
- Restrict browser extensions: Implement policies to allow only trusted browser extensions and regularly audit installed extensions.
- Implement conditional access policies: Use device and location-based access controls to limit session token validity.
- Monitor for anomalies: Deploy security solutions that can detect unusual session activities and token usage.
- Educate users: Train users to recognize and avoid installing suspicious browser extensions and to report any unusual account activities.
- Shorten session lifetimes: Reduce the validity period of session cookies to minimize the window of opportunity for attackers.
- Use token protection and binding: These techniques tie authentication tokens to specific devices, rendering them useless if stolen and reused elsewhere.
- Implement conditional access policies: Enforce login restrictions based on geography, device compliance, and risk level.
As attackers shift toward identity-based intrusions and MFA bypass methods, organizations must rethink how they secure sessions and tokens — not just credentials.
Learn more about cybersecurity protections from C Spire Business here.
