New 'Cookie-Bite' Attack Exploits Chrome Extension to Steal Azure Entra ID Session Tokens

EC

May 01, 2025By Ethan Coulthard

Cybersecurity researchers at Varonis have unveiled a new proof-of-concept (PoC) attack dubbed "Cookie-Bite," which leverages a malicious Chrome extension to extract session cookies from Azure Entra ID (formerly Azure Active Directory). This technique enables attackers to bypass multi-factor authentication (MFA) and maintain unauthorized access to Microsoft cloud services such as Microsoft 365, Outlook, and Teams. 

Accept cookies button on a web page

How the Cookie-Bite Attack Works

The Cookie-Bite method centers on a malicious Chrome extension designed to target specific session cookies: 

ESTSAUTH: A transient session token indicating that the user has completed MFA. It remains valid for up to 24 hours or until the browser session ends. 

ESTSAUTHPERSISTENT: A persistent session token created when users opt to "Stay signed in" or when Azure applies the Keep Me Signed In (KMSI) policy. This token can remain valid for up to 90 days. 

By extracting these cookies, attackers can impersonate authenticated users without needing to re-enter credentials or complete MFA challenges, effectively maintaining persistent access to the victim's cloud services. 

Implications and Risks

While the concept of stealing session cookies is not new, the Cookie-Bite attack is notable for its stealth and persistence. Unlike traditional phishing attacks that rely on tricking users into revealing credentials, this method operates silently in the background, making detection more challenging. 

The attack underscores the vulnerabilities associated with browser extensions, particularly those that are malicious or have been compromised. It also highlights the limitations of MFA when session tokens can be hijacked to bypass authentication mechanisms. 

Mitigation Strategies

To protect against attacks like Cookie-Bite, organizations and users should consider the following measures:

  • Restrict Extension Installations: Limit the ability to install browser extensions to trusted sources and enforce policies that prevent the use of unauthorized extensions.
  • Monitor for Suspicious Activity: Implement monitoring solutions to detect unusual behavior, such as unexpected access patterns or the use of unauthorized extensions.
  • Regularly Review Session Policies: Evaluate and adjust session duration settings to minimize the window of opportunity for attackers to exploit stolen tokens.
  • Educate Users: Provide training on the risks associated with browser extensions and encourage users to report any suspicious behavior.
Search Engine

Conclusion

The Cookie-Bite attack highlights a critical gap in cloud security: even with multi-factor authentication in place, session tokens can still be hijacked to silently bypass protections. By exploiting browser extensions—often overlooked as a security risk—this PoC demonstrates how persistent access can be maintained without raising immediate alarms. It’s a clear reminder that security must extend beyond login credentials to include tighter control over session management, browser extensions, and user behavior monitoring. If your compnay is interested in learning more about what protections are available, visit our "Contact Us" page. Our vCISO service can help your company to bolster security posture and provide things like real-time network monitoring to protect from threats.