Cyber Security News

Cookie-Bite Attack Enables MFA Bypass and Persistent Cloud Server Access

Researchers have exposed a sophisticated cyberattack technique dubbed the “Cookie-Bite Attack,” which allows adversaries to bypass Multi-Factor Authentication (MFA) and maintain persistent access to cloud servers such as Microsoft 365, Azure Portal, and Teams.

This method leverages stolen browser cookies, specifically targeting Azure Entra ID authentication tokens like ESTSAUTH and ESTSAUTHPERSISTENT, to impersonate legitimate users without triggering security alerts.

By exploiting these session cookies, attackers can seamlessly access high-value enterprise applications, posing a severe risk to corporate networks worldwide.

Cookie-Bite AttackCookie-Bite Attack
Extension Loading via PowerShell

Technical Depth of Session Hijacking

The Cookie-Bite Attack operates through a combination of infostealer malware, custom malicious browser extensions, and automation scripts to extract authentication cookies directly from a victim’s browser.

Infostealers infiltrate systems to steal sensitive data, including session tokens, which are often sold on darknet marketplacvares under a Malware-as-a-Service (MaaS) model.

Techniques like Adversary-in-the-Middle (AITM) phishing, browser process memory dumping, and decryption of locally stored cookies enable attackers to capture these tokens in plaintext.

A proof-of-concept (PoC) detailed by the researchers showcases a custom Chrome extension that monitors login events on Microsoft’s authentication portal, exfiltrating cookies to an external server via Google Forms.

Stay-signed-in

A complementary PowerShell script automates deployment, ensuring persistence, while tools like Cookie-Editor facilitate injecting stolen cookies into the attacker’s browser for session hijacking.

According to the Report, this approach bypasses MFA by reusing valid session tokens, which Azure Entra ID recognizes as pre-authenticated, eliminating the need for further credential prompts.

Post-exploitation, attackers can access enterprise applications like Outlook or SharePoint via Microsoft Graph API, enumerate users, exfiltrate data, or escalate privileges using tools such as TokenSmith and AADInternals to manipulate OAuth tokens and extract refresh tokens for extended access.

Even with Conditional Access Policies (CAPs) in place, which restrict access based on location or device compliance, attackers can evade detection by mimicking the victim’s environment collecting data like IP addresses, browser versions, and user agents to simulate legitimate requests.

The stolen ESTSAUTHPERSISTENT cookie, valid for up to 90 days when “Keep Me Signed In” is enabled, acts as a long-term key to the cloud infrastructure, enabling continuous unauthorized access.

This persistent threat extends beyond initial breaches, allowing lateral movement within tenants, data manipulation, and potential full network compromise.

To combat this, organizations must enhance monitoring for abnormal user behavior, leverage Microsoft Risk detection for sign-in anomalies, and enforce CAPs tied to compliant devices with Token Protection.

Implementing Chrome ADMX policies to restrict browser extensions to an approved list is also critical.

The Cookie-Bite Attack underscores a chilling reality: traditional defenses like MFA are no longer sufficient against evolving session hijacking techniques.

As attackers refine their methods to exploit browser-based vulnerabilities, enterprises must adopt proactive, multi-layered security strategies to safeguard their cloud environments from such stealthy and persistent threats.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

1 hour ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

2 hours ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

2 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

4 hours ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

4 hours ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

4 hours ago