Cookie-Bite Attack PoC Uses Chrome Extension to Steal Session Tokens
Summary:
Varonis researchers have disclosed a proof-of-concept attack known as “Cookie-Bite”, which leverages a malicious Chrome extension to steal session cookies from Azure Entra ID, allowing adversaries to bypass multi-factor authentication and maintain persistent access to Microsoft cloud services like Microsoft 365, Outlook, and Teams. The attack targets two critical session cookies: ESTAUTH, a short-lived token valid for up to 24 hours that confirms MFA completion, and ESTSAUTHPERSISTENT, a long-lived token that remains active for up to 90 days when users choose “Stay signed in” or when organizations implement the Keep Me Signed In (KMSI) policy. The malicious extension monitors browser activity for Microsoft login URLs and, upon detecting a login event, filters and exfiltrates the relevant cookie data to an attacker-controlled Google Form in JSON format. Despite its capability, the extension was not detected as malicious when uploaded to VirusTotal, illustrating its stealth.
Once cookies are stolen, attackers can manually inject them into their own browsers using tools like the Cookie-Editor extension, effectively assuming the victim’s authenticated session. This tactic grants full access to Azure-protected services without needing a password or MFA token. Post-authentication, the attacker can use tools like Microsoft Graph Explorer to enumerate directory information, roles, users, devices, and access sensitive content in Teams and Outlook. They can also escalate privileges, laterally move across environments, and register unauthorized applications using advanced tools like TokenSmith, ROADtools, and AADInternals all while impersonating a legitimate user.
Security Officer Comments:
To persist across system reboots, attackers can deploy a PowerShell script via Windows Task Scheduler, configured to re-enable Developer Mode and inject the unsigned extension every time Chrome is launched. This persistence technique is effective in environments where extension policies are not tightly managed. Because the extension operates within the context of the browser and doesn’t exploit a vulnerability per se, standard antivirus and endpoint detection solutions may miss it. Although Microsoft marked the researchers' sign-ins as “atRisk” due to VPN usage, geolocation anomalies alone are not always sufficient to detect cookie-based session hijacking, particularly in remote work scenarios where IP addresses can vary.
Suggested Corrections:
Varonis researchers reccomend:
Link(s):
https://www.bleepingcomputer.com/ne...ses-chrome-extension-to-steal-session-tokens/
Varonis researchers have disclosed a proof-of-concept attack known as “Cookie-Bite”, which leverages a malicious Chrome extension to steal session cookies from Azure Entra ID, allowing adversaries to bypass multi-factor authentication and maintain persistent access to Microsoft cloud services like Microsoft 365, Outlook, and Teams. The attack targets two critical session cookies: ESTAUTH, a short-lived token valid for up to 24 hours that confirms MFA completion, and ESTSAUTHPERSISTENT, a long-lived token that remains active for up to 90 days when users choose “Stay signed in” or when organizations implement the Keep Me Signed In (KMSI) policy. The malicious extension monitors browser activity for Microsoft login URLs and, upon detecting a login event, filters and exfiltrates the relevant cookie data to an attacker-controlled Google Form in JSON format. Despite its capability, the extension was not detected as malicious when uploaded to VirusTotal, illustrating its stealth.
Once cookies are stolen, attackers can manually inject them into their own browsers using tools like the Cookie-Editor extension, effectively assuming the victim’s authenticated session. This tactic grants full access to Azure-protected services without needing a password or MFA token. Post-authentication, the attacker can use tools like Microsoft Graph Explorer to enumerate directory information, roles, users, devices, and access sensitive content in Teams and Outlook. They can also escalate privileges, laterally move across environments, and register unauthorized applications using advanced tools like TokenSmith, ROADtools, and AADInternals all while impersonating a legitimate user.
Security Officer Comments:
To persist across system reboots, attackers can deploy a PowerShell script via Windows Task Scheduler, configured to re-enable Developer Mode and inject the unsigned extension every time Chrome is launched. This persistence technique is effective in environments where extension policies are not tightly managed. Because the extension operates within the context of the browser and doesn’t exploit a vulnerability per se, standard antivirus and endpoint detection solutions may miss it. Although Microsoft marked the researchers' sign-ins as “atRisk” due to VPN usage, geolocation anomalies alone are not always sufficient to detect cookie-based session hijacking, particularly in remote work scenarios where IP addresses can vary.
Suggested Corrections:
Varonis researchers reccomend:
- Continuously monitor and detect users' abnormal behavior
- Use Microsoft Risk during sign-in events to detect unusual sign-in
- Microsoft flagged our sign-in attempts as "atRisk" due to the risk type "anonymizedIPAddress," which was triggered because we used a VPN during the demonstration to bypass CAP.
- Configure CAP enforcing login from compliant devices only alongside Token Protection
- Implement Chrome ADMX policies to enforce an allowlist of approved browser extensions
Link(s):
https://www.bleepingcomputer.com/ne...ses-chrome-extension-to-steal-session-tokens/
| View this resource |