New Pass-the-Cookie Attacks Bypass MFA, Giving Hackers Full Account Access

Multi-factor authentication (MFA), long considered a cornerstone of cybersecurity defense, is facing a formidable new threat: “Pass-the-Cookie” attacks.

Recent findings reveal from Long Wall shows that threat actors exploit browser session cookies to bypass MFA entirely, granting full access to corporate accounts without requiring passwords or authentication tokens.

This technique poses a significant risk to organizations reliant on MFA for Office 365, Azure, and other cloud platforms.

The Illusion of Security

MFA’s effectiveness hinges on verifying user identity through multiple credentials. However, attackers now target session cookies—small data fragments stored by browsers to maintain active logins.

In a typical attack, cybercriminals steal cookies like Microsoft’s ESTSAUTH, which validates sessions across Office 365 services.

Once extracted, these cookies enable adversaries to impersonate users indefinitely, even from unrecognized devices or locations.

A stark example involves two Office 365 sign-ins logged in Azure:

1. Legitimate Access: A user logs in via Chrome on Windows 11, completing MFA via the Microsoft Authenticator app.
2. Malicious Access: An attacker uses the same account on Ubuntu/Firefox with no password or MFA prompt—relying solely on a stolen ESTSAUTH cookie.

Azure’s logs show near-identical entries for both events, with only subtle differences in browser/OS metadata hinting at foul play.

Without advanced detection tools, these attacks easily evade traditional security monitoring.

Cookie Hijacking

Session hijacking begins when malware like LummaC2, Redline, or Racoon infiltrates a device. These infostealers—often disguised as fake software updates—scan browsers for cookies and decrypt them using built-in tools.

For instance, LummaC2 exfiltrates ESTSAUTH values, which attackers then implant into their own browsers via developer consoles.

Proof-of-Concept Walkthrough:

1. Cookie Extraction: After compromising a Windows/Chrome device, attackers use browser dev tools to copy the ESTSAUTH cookie from login.microsoftonline.com.
2. Session Spoofing: On a clean Ubuntu/Firefox machine, the attacker creates a new cookie with the stolen value. Refreshing the page grants immediate access to the victim’s Office 365 account.

This method bypasses MFA because the cookie validates the session, not the user.

Microsoft’s documentation confirms ESTSAUTH cookies persist until explicit logout or expiration—potentially enabling weeks of undetected access.

The Rise of Cookie-Centric Attacks

As MFA adoption grows, attackers are shifting from credential theft (e.g., Mimikatz-based LSASS dumping) to cookie harvesting.

Recent campaigns observed by MSSPs show a 300% increase in cookie theft attempts since 2023, targeting sectors like finance and healthcare.

Why Cookies?

• Persistence: Cookies often outlive password rotations.
• Stealth: No brute-force attempts or MFA triggers to alert defenders.
• Cross-Platform Usability: Cookies work across devices and geographies.

Using the definition from Microsoft: (https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-web-browser-cookies)

Mitigation Strategies

To counter this threat, experts recommend:

1. Session Token Monitoring: Deploy UEBA (User Entity Behavior Analytics) tools to flag anomalies like sudden OS/browser changes mid-session.
2. Conditional Access Policies: Restrict logins to compliant/managed devices and enforce recurring MFA checks for high-risk actions.
3. Cookie Encryption: Use solutions like Azure AD’s Continuous Access Evaluation (CAE) to shorten token lifespans and bind sessions to device fingerprints.
4. Infostealer Detection: Block unauthorized credential dumping via EDR tools and restrict local admin privileges.

While MFA remains essential, the “Pass-the-Cookie” epidemic underscores the need for zero-trust architectures.

As Jake Williams, CTO of Rendition Infosec, notes: “Session cookies are the new credentials. Protecting them requires the same rigor as passwords—encryption, rotation, and granular access controls.”.

Organizations must evolve beyond MFA alone, treating session integrity as a critical pillar of modern cybersecurity.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free