Cybersecurity researchers at Varonis have uncovered a sophisticated attack technique dubbed “Cookie-Bite” that effectively circumvents Microsoft’s Multi-Factor Authentication (MFA) in cloud services. This critical security discovery reveals how malicious browser extensions can compromise Azure Entra ID session tokens, potentially exposing enterprise resources to unauthorized access.
Understanding the Cookie-Bite Attack Vector
The attack leverages a malicious Chrome extension designed to intercept two critical Azure Entra ID authentication tokens: ESTAUTH and ESTSAUTHPERSISTENT. The ESTAUTH token serves as a temporary session validator with a 24-hour lifespan, confirming successful MFA completion. Its companion, ESTSAUTHPERSISTENT, provides extended authentication for up to 90 days when users select the “Stay signed in” option.
Technical Analysis of the Attack Mechanism
When users attempt to access Microsoft services, the malicious extension automatically harvests authentication cookies and transmits them to attackers through Google Forms. Threat actors can then inject these stolen tokens into their browsers using legitimate tools such as Cookie-Editor Chrome, effectively gaining unauthorized access to the victim’s Microsoft 365 environment, including Outlook and Teams applications.
Security Impact Assessment
The successful exploitation of Cookie-Bite enables attackers to:
– Navigate through corporate infrastructure via Graph Explorer
– Access sensitive email communications in Outlook
– Infiltrate private Teams conversations
– Execute privilege escalation attacks using specialized tools
Defensive Strategies and Security Recommendations
To protect against Cookie-Bite attacks, security professionals should implement the following measures:
– Deploy strict Chrome extension management policies through ADMX
– Disable developer mode in corporate browsers
– Implement robust monitoring for suspicious login attempts
– Conduct regular security policy reviews and updates for cloud services
– Enable advanced threat detection mechanisms
The severity of this threat is amplified by the fact that current antivirus solutions on VirusTotal fail to detect the malicious extension. Furthermore, security experts warn that this technique could potentially be adapted to target other cloud service providers, including Google, Okta, and AWS. Organizations must maintain vigilant monitoring of their cloud infrastructure and implement comprehensive security measures to protect against this emerging threat vector. The Cookie-Bite attack serves as a stark reminder of the evolving sophistication of cyber threats and the critical importance of maintaining robust security protocols in cloud environments.
