SecurityBrief Canada - Technology news for CISOs & cybersecurity decision-makers
Canada
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Ransomware
#
Hyperscale
#
MFA

Cookie theft bypasses MFA and grants cloud access

Yesterday
By Staff Writer

Researchers have uncovered a method that allows cyber attackers to bypass multi-factor authentication (MFA) and maintain persistent access to enterprise cloud environments by exploiting browser cookies. The findings, published by Varonis Threat Labs in April 2025, expose the growing sophistication of session hijacking techniques, revealing how attackers can operate without malware, using browser extensions and scripts to silently steal authentication tokens.

At the centre of this exploitation is the use of stolen session cookies—digital tokens stored in a user's browser that prove prior authentication, including MFA. Once obtained, these cookies allow attackers to impersonate legitimate users and gain access to services such as Microsoft 365, Google Workspace, and Amazon Web Services (AWS), often without raising security alerts.

Varonis' research presents a comprehensive proof-of-concept that demonstrates how such attacks can be carried out. By creating a custom Chrome browser extension and automating its deployment with PowerShell scripts, researchers were able to extract Azure Entra ID session cookies, including ESTSAUTH and ESTSAUTHPERSISTENT, each time a user logged into Microsoft's authentication portal. These cookies, when exfiltrated and injected into an attacker's browser, allowed immediate access to the target's cloud services, bypassing any MFA prompts.

The extension silently monitors login events to domains like login.microsoftonline.com, captures the authentication cookies in real time, and uploads them to an attacker-controlled endpoint such as a Google Form. This setup avoids traditional malware behaviour, making detection at the endpoint level significantly more difficult.

Browser cookies are usually stored in encrypted SQLite databases on the local system, and different operating systems handle cookie security in distinct ways. On Windows, cookies are encrypted using the Data Protection API (DPAPI), which ties encryption keys to the specific user profile and machine. However, infostealers can exploit decrypted cookies stored in process memory or extract the encryption keys themselves, depending on their access level.

Various methods are used to capture these cookies. Adversary-in-the-middle (AITM) attacks employ reverse proxy tools to intercept real-time session data during user login, including MFA tokens. In other cases, attackers exploit browser process memory or deploy malicious extensions that request high-level permissions to access session data directly.

The market for such stolen session data operates within a Malware-as-a-Service (MaaS) ecosystem. Infostealers typically distribute malware widely to collect credentials, tokens, and cookies, which are then sold in darknet markets. Buyers include ransomware operators and initial access brokers, who use the data to breach corporate environments, commit fraud, or escalate privileges within cloud platforms.

Cookies that grant access to enterprise applications are especially prized. A hijacked session token from Microsoft 365 or Google Workspace can expose internal emails, cloud storage, and business-critical applications. The Azure Entra ID tokens—ESTSAUTH and ESTSAUTHPERSISTENT—are particularly valuable because they allow long-term access without triggering reauthentication, even across browser sessions.

Once inside, attackers can exploit existing enterprise applications, such as Microsoft Outlook and SharePoint, by using legitimate access privileges. In more advanced cases, they may use tools like TokenSmith, ROADtools, and AADInternals to manipulate tokens further, escalate access, or pivot across services within the tenant.

Conditional Access Policies (CAPs), often enforced to block unauthorised login attempts based on location or device compliance, offer some protection but are not foolproof. Varonis demonstrated that attackers can mimic a victim's usual environment—operating system, browser version, public IP address—to bypass CAP restrictions.

To mitigate these threats, Varonis recommends several security measures. These include implementing CAPs that enforce login only from compliant and verified devices, using Microsoft's Token Protection features, maintaining a strict browser extension allowlist, and monitoring sign-in anomalies, such as multiple logins from differing locations using the same session ID.

The research serves as a stark reminder of the evolving threat landscape and the need to move beyond traditional authentication measures. As Oren Bahar, the researcher behind the work, notes, "Persistence is achieved via the browser itself, avoiding system modifications." This subtlety makes cookie-based session hijacking both effective and difficult to detect, urging organisations to rethink how they secure access to their digital environments.

Related stories
CrowdStrike launches Falcon Privileged Access to block threats
Most firms overestimate data resilience, risking USD $400 billion
CrowdStrike named leader in GigaOm XDR report for 2025
Nine in ten IT leaders faced cyberattacks as threats intensify
Cybersecurity seen by 85% of CEOs as critical for business growth
Top stories
Socket acquires Coana to cut false positive security alerts
Proofpoint launches unified cybersecurity solution to cut costs
Proofpoint unveils unified AI data security platform for enterprises
Lineaje launches AI-powered self-healing for software security
Proofpoint unveils unified platforms to combat data & cyber risks