Security researchers from Varonis have unveiled a proof-of-concept attack named "Cookie-Bite," which leverages a malicious Chrome extension to steal session cookies and gain persistent access to Microsoft cloud services such as Outlook, Teams, and Microsoft 365.
The attack focuses on Azure Entra ID session tokens — specifically the ESTAUTH and ESTSAUTHPERSISTENT cookies — which allow attackers to bypass multi-factor authentication once injected into their own browsers.
The extension stealthily monitors Microsoft login activity and exfiltrates the cookie data using Google Forms, all while evading current antivirus detection.
Attackers can further automate persistence by deploying scripts that reload the extension via Chrome’s developer mode each time the browser starts.
With stolen session tokens, adversaries can impersonate victims and exploit their access to send messages, read emails, or escalate privileges within the Microsoft environment.
While this technique currently targets Microsoft accounts, it could be adapted to compromise sessions from other services like AWS, Google, or Okta. Microsoft flagged suspicious login attempts during testing, highlighting the importance of monitoring unusual sign-ins and enforcing strict access controls.
To defend against this threat, organizations should apply conditional access policies and restrict Chrome extension usage through administrative policies.
Read more...