Digital Crumbs: Exploiting Entra ID's Session Cookies to Breach Microsoft 365
In a recent wave of sophisticated cyberattacks, security researchers uncovered a stealthy campaign dubbed “Cookie Bite,” which targets Microsoft Entra ID (formerly Azure Active Directory) to compromise Microsoft 365 accounts. The attackers abuse OAuth and session tokens to bypass multi-factor authentication (MFA) protections and hijack legitimate user sessions effectively flying under the radar of traditional defenses.
Technical Description
The “Cookie Bite” attack presents a sophisticated method of compromising Microsoft 365 accounts by exploiting OAuth 2.0 permissions and session cookies tied to Azure Entra ID (formerly Azure AD). The campaign typically begins with well-crafted phishing emails that replicate Microsoft login pages. These emails trick users into granting access to a malicious application disguised as legitimate. Once a user consents, the rogue app receives OAuth access tokens, enabling it to perform actions like reading emails, browsing OneDrive files, or sending messages on the user’s behalf.
A key challenge in defending against this attack is token persistence. Even if a user resets their password, the attacker retains access through the granted OAuth tokens unless the user or administrator manually revokes permissions. These access tokens can be valid for extended periods, especially in environments with loose session expiration settings or over-permissive scopes.
Beyond OAuth exploitation, attackers reinforce their foothold by stealing session cookies specifically, ESTSAUTH and ESTSAUTHPERSISTENT which are essential for maintaining authenticated sessions in services like Outlook and Teams. These cookies are typically harvested via malware, such as infostealers or rogue browser extensions, or through man-in-the-middle techniques. Once in possession of these tokens, the attacker can inject them into their own browser session, bypassing multi-factor authentication entirely and impersonating the victim with full session continuity.
What makes this approach even more stealthy is the integration of Microsoft Graph API for automated data exfiltration. This enables attackers to systematically extract sensitive content such as documents, communications, and credentials with minimal visibility. In federated environments with misconfigured OAuth controls or absent monitoring for anomalous application consent, these breaches can go unnoticed for weeks.
Overall, the “Cookie Bite” technique underscores a growing threat landscape where attackers no longer rely solely on stolen credentials they exploit the very architecture of modern cloud authentication. By abusing both token-based authorization and session handling mechanisms, they achieve persistence, lateral movement, and data theft without triggering common security alerts.
Impact
The consequences of this attack are significant. Once access is granted, attackers can silently monitor email threads, steal sensitive files, redirect payments, and escalate privileges through lateral movement. Organizations that rely on Microsoft 365 for critical operations are at heightened risk especially those in sectors like finance, legal, government, and healthcare.
Because the attack uses legitimate user sessions and APIs, traditional endpoint detection and firewalls often miss it. The malicious OAuth app may also go unnoticed unless IT administrators regularly audit third-party application access within their Entra ID environment.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Initial Access, Persistence, Credential Access |
| Technique Name | Session Hijacking, Abuse of Authentication Cookies |
| Sub Technique Name | Browser Cookie Theft, Token Replay |
| Attack Type | Identity Impersonation, Unauthorized Access |
| Targeted Applications | Microsoft 365 (Outlook, Teams), Azure Entra ID |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | NA |
| CVE | NA |
Recommended Actions
- Audit and Revoke Suspicious Sessions: Regularly monitor active sessions and revoke any that appear unauthorized.
- Implement Conditional Access Policies: Enforce policies that require compliant devices and trusted locations for access.
- Educate Users: Train employees to recognize phishing attempts and the risks of installing unverified browser extensions.