Why Varonis' Cookie-Bite PoC Redefines Session Hijacking Threats

Written By Emilia Mancilla

The Varonis Threat Labs article, "Cookie-Bite: How Your Digital Crumbs Let Threat Actors Bypass MFA and Maintain Access to Cloud Environments," introduces a proof-of-concept (PoC) that demonstrates a sophisticated method for stealing browser cookies to bypass multi-factor authentication (MFA) and gain persistent access to cloud services like Microsoft 365. But what makes this PoC stand out from typical cookie-stealing attacks? Let’s break it down in simple terms and explore why it’s a game-changer in the world of session hijacking.

What Is the Cookie-Bite PoC?

The Cookie-Bite PoC shows how attackers can use a custom Chrome extension and a PowerShell script to steal session cookies—small data files that prove you’ve already logged into a website. These cookies, like Azure Entra ID’s ESTSAUTH and ESTSAUTHPERSISTENT, act as a “key” to cloud services, letting attackers access accounts without needing passwords or MFA codes. By stealing these cookies, attackers can impersonate users, sneak into corporate systems, and even escalate their access to cause major damage.

What sets this PoC apart is its focus on persistence, stealth, and enterprise-grade targets. Unlike typical attacks that grab cookies once, this method ensures ongoing access, evades detection, and targets high-value cloud environments. Here’s why it’s different.

Key Features That Make This PoC Unique

1. Persistent Cookie Theft

Most cookie-stealing attacks grab a cookie once and hope it stays valid (e.g., 24 hours for ESTSAUTH or 90 days for ESTSAUTHPERSISTENT). The Varonis PoC, however, uses a Chrome extension that captures fresh cookies every time the victim logs into Microsoft’s login page. This means attackers can maintain access even if a session expires or is revoked, as long as the victim keeps logging in.

Why It Matters: This continuous theft makes the attack far more resilient, turning a one-time breach into a long-term threat.

2. No Malware, Just Stealth

Traditional cookie-stealing attacks often rely on infostealer malware (like RedLine) that injects code or modifies files, which antivirus software can detect. The Varonis PoC avoids this by using a browser extension and a lightweight PowerShell script. The extension operates within the browser’s security context, blending in as a legitimate tool, while the script automates deployment without deep system changes.

Why It Matters: By avoiding traditional malware, the attack is harder to spot, slipping past endpoint detection tools with ease.

3. Automated and Scalable

The PoC automates the entire process—from deploying the extension to exfiltrating stolen cookies to a Google Form. The PowerShell script can be scheduled to run periodically, ensuring the extension reloads even if Chrome closes. Using Google Forms for exfiltration is a clever trick, as it looks like normal web traffic and is unlikely to be blocked.

Why It Matters: This automation makes the attack easy to scale, allowing attackers to target multiple victims with minimal effort.

4. Seamless Session Hijacking

To access the victim’s account, the PoC uses a legitimate Chrome extension called Cookie-Editor to inject stolen cookies into the attacker’s browser. This instantly grants access to cloud services like Outlook or Teams. The PoC also suggests collecting victim data (e.g., IP address, browser version) to mimic their environment, helping bypass Conditional Access Policies (CAPs)—security rules that block unfamiliar devices or locations.

Why It Matters: Using a widely available tool like Cookie-Editor simplifies the attack, while environment imitation defeats advanced security controls, making it practical and effective.

5. Targeting Enterprise Cloud Services

While many attacks target social media or banking cookies, this PoC focuses on enterprise-grade cloud services, specifically Azure Entra ID cookies. These cookies unlock access to Microsoft 365, Azure Portal, and other corporate tools, making them high-value targets. A single stolen session could lead to data theft, phishing, or even a full network takeover.

Why It Matters: The enterprise focus means this attack poses a significant risk to businesses, not just individuals.

6. Bypassing Conditional Access Policies

CAPs are designed to block unauthorized access by checking factors like location or device. The Varonis PoC counters this by collecting victim details (e.g., hostname, OS) via the PowerShell script, allowing attackers to mimic the victim’s setup. This tricks CAPs into granting access, even in organizations with strict security.

Why It Matters: Evading CAPs makes the attack viable against well-protected companies, increasing its real-world impact.

7. Advanced Post-Exploitation

Once inside, attackers can do more than just read emails. The PoC highlights tools like TokenSmith and ROADtools, which let attackers extract additional tokens, enumerate users, or escalate privileges. For example, accessing Graph Explorer can reveal sensitive data about a company’s network, while Outlook might uncover passwords or phishing opportunities.

Why It Matters: This focus on long-term, strategic exploitation sets the PoC apart from attacks that only seek immediate gains, like draining a bank account.

How Does It Compare to Typical Attacks?

How Can You Protect Yourself?

This PoC highlights the need for stronger defenses against cookie-based attacks. Here are some practical steps:

  • Enforce Strict CAPs: Block access from unfamiliar locations or devices, and use tools like Microsoft Intune to ensure device compliance.

  • Monitor Sign-In Logs: Look for odd patterns, like multiple logins from different locations with the same session ID.

  • Limit Cookie Lifespan: Clear cookies regularly and avoid “stay signed in” options to shorten the attack window.

  • Restrict Extensions: Block unauthorized browser extensions and scan for suspicious ones.

  • Use Endpoint Security: Tools like Varonis can detect unusual behavior, such as cookie theft or abnormal logins.

The Bottom Line

The Varonis Cookie-Bite PoC is a wake-up call for organizations relying on MFA and cloud services. Its focus on enterprise targets, stealthy execution, and post-exploitation potential makes it a serious threat to businesses worldwide.

To stay safe, companies must go beyond MFA and adopt proactive measures like CAPs, log monitoring, and endpoint protection. As attackers get smarter, understanding and defending against attacks like Cookie-Bite is crucial to keeping your data secure.

Citations

  1. https://www.varonis.com/blog/cookie-bite

Emilia Mancilla
Next

Midnight Blizzard Exposed - Inside APT29's 2025 Grapeloader Campaign