Saturday, May 24, 2025
HomeCloudCookie-Bite Attack Enables MFA Bypass and Persistent Cloud Server Access

Cookie-Bite Attack Enables MFA Bypass and Persistent Cloud Server Access

Published on

SIEM as a Service

Follow Us on Google News

Researchers have exposed a sophisticated cyberattack technique dubbed the “Cookie-Bite Attack,” which allows adversaries to bypass Multi-Factor Authentication (MFA) and maintain persistent access to cloud servers such as Microsoft 365, Azure Portal, and Teams.

This method leverages stolen browser cookies, specifically targeting Azure Entra ID authentication tokens like ESTSAUTH and ESTSAUTHPERSISTENT, to impersonate legitimate users without triggering security alerts.

By exploiting these session cookies, attackers can seamlessly access high-value enterprise applications, posing a severe risk to corporate networks worldwide.

- Advertisement - Google News
Cookie-Bite Attack
Extension Loading via PowerShell

Technical Depth of Session Hijacking

The Cookie-Bite Attack operates through a combination of infostealer malware, custom malicious browser extensions, and automation scripts to extract authentication cookies directly from a victim’s browser.

Infostealers infiltrate systems to steal sensitive data, including session tokens, which are often sold on darknet marketplacvares under a Malware-as-a-Service (MaaS) model.

Techniques like Adversary-in-the-Middle (AITM) phishing, browser process memory dumping, and decryption of locally stored cookies enable attackers to capture these tokens in plaintext.

A proof-of-concept (PoC) detailed by the researchers showcases a custom Chrome extension that monitors login events on Microsoft’s authentication portal, exfiltrating cookies to an external server via Google Forms.

Cookie-Bite Attack
Stay-signed-in

A complementary PowerShell script automates deployment, ensuring persistence, while tools like Cookie-Editor facilitate injecting stolen cookies into the attacker’s browser for session hijacking.

According to the Report, this approach bypasses MFA by reusing valid session tokens, which Azure Entra ID recognizes as pre-authenticated, eliminating the need for further credential prompts.

Post-exploitation, attackers can access enterprise applications like Outlook or SharePoint via Microsoft Graph API, enumerate users, exfiltrate data, or escalate privileges using tools such as TokenSmith and AADInternals to manipulate OAuth tokens and extract refresh tokens for extended access.

Even with Conditional Access Policies (CAPs) in place, which restrict access based on location or device compliance, attackers can evade detection by mimicking the victim’s environment collecting data like IP addresses, browser versions, and user agents to simulate legitimate requests.

The stolen ESTSAUTHPERSISTENT cookie, valid for up to 90 days when “Keep Me Signed In” is enabled, acts as a long-term key to the cloud infrastructure, enabling continuous unauthorized access.

This persistent threat extends beyond initial breaches, allowing lateral movement within tenants, data manipulation, and potential full network compromise.

To combat this, organizations must enhance monitoring for abnormal user behavior, leverage Microsoft Risk detection for sign-in anomalies, and enforce CAPs tied to compliant devices with Token Protection.

Implementing Chrome ADMX policies to restrict browser extensions to an approved list is also critical.

The Cookie-Bite Attack underscores a chilling reality: traditional defenses like MFA are no longer sufficient against evolving session hijacking techniques.

As attackers refine their methods to exploit browser-based vulnerabilities, enterprises must adopt proactive, multi-layered security strategies to safeguard their cloud environments from such stealthy and persistent threats.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...