Deeper Into The Cookie Jar

April 29, 2025

Deeper Into The Cookie Jar

The Cookie Bite (PoC) that Varonis researchers found on the exploitability of Cookie stealing and gaining control of sessions within Microsoft Entra ID.

Recently discovered by Varonis threat researchers, the “Cookie Bite” attack has grabbed the attention of security and identity professionals. An article by Dark Reading provides a great summary: ‘Cookie Bite’ Entra ID Attack Exposes Microsoft 365.

“Attackers could exploit two key authentication cookies used by Azure Entra ID to bypass MFA and hijack legitimate user sessions,” said Elizabeth Montalbano for Dark Reading. “Thus gaining persistent access to Entra ID-protected resources in Microsoft 365 like Outlook and Teams. From there, they could engage in a range of malicious activities, including reconnaissance and privilege escalation that can lead to cyberattacks on the system.”

Microsoft was not previously informed about the flaw for the cookie to be stolen, as stated by the researcher at Varonis.

“We did not contact Microsoft because this is not related to a new vulnerability,” said Mark Vaitsman, security research team leader at Varonis. “Instead, we are the first to show in full detail how to steal the cookies, remain undetected, and gain control of cloud resources in Azure, bypassing CAP. We also show defenders how to detect it, and what is the possible, major impact.”

Since Microsoft was not priorly informed, our concern would be that Microsoft’s development team could take months to address this flaw. Due to the unknown time, HadenGrey thought it prudent to investigate additional mitigations that can be utilized for the interim.

HadenGrey’s Greg Kevorkian immediately duplicated the steps from the PoC and validated the findings. This way, our team has a better understand the attack. He found that for the attack to be successful, it requires several environmental settings to be available to the attacker. The article, however, provides only one mitigation strategy of behavioral/risk-based monitoring to determine possible malicious activity. The article did not suggest a way to actively make it more difficult or impossible to complete the exploit. Below, HadenGrey has recommendations for additional useful mitigations steps to prevent this attack.

Mitigation Tactic #1 – Browser Controls

Chromium (Edge, Chrome, and other Chromium version) – Disabled developer mode, this results in being unable to load unsigned/unpublished extensions.

Deploying a managed Chrome browser through the Intune Endpoint Manager Admin center.
Deploying an Intune Device Configuration Profile with the setting to prevent the installation of external extensions (an external extension is any extension that is not installed from the Chrome Web Store).

Mozilla – You enabled the setting of “disallowing unsigned addons”. Recommend that you repeat the same type of control for Firefox and any other browsers allowed for use within the organization. Mozilla is deployed through a Managed Firefox application in Intune, and locked down by an additional Device Configuration Profile.

Conduct similar protections on all other web browser software depending on requirements and ensure corporate policies reflect the change.

Mitigation Tactic #2 – Change to Reducing and Preventing

Here we’re preventing the ability for scripts to automatically deploy this payload.

Disable the ability to allow any unsigned script on the local machine. This would extend beyond PowerShell as the PoC provided including VB, Python, or other scripts. Utilizing ASR (Attack Surface Reduction) rules as well as additional endpoint security controls.

Mitigation Tactic #3 – Utilizing Conditional Access Policies

Option 1 — CAP (Conditional Access Policy) for requiring company-owned devices. This will not prevent malicious control of the device or insider risk.
Option 2 — CAP for token protection. This provides a more complete mitigation and addresses both internal and external attacks.

Two conditional access policies have the same defensive functionality, just with different scopes. This attack still requires an additional call to the /authorize endpoint of login.microsoftonline.com. By just taking advantage of the session cookie instead of Username and Password and MFA, Entra will still treat and log this as a sign in attempt. Therefore we are able to leverage Option 1 to effectively deny the sign in unless on a company owned device (Option 1 covers everything but insider threats, and stolen compromised hardware). We can also leverage Option 2, which associates the session token with the PRT binding the session to the individual device.

Mitigation Tactic #4 – Develop Alerts at Endpoint and IdP (Identity Provider)

As there is no perfect strategy for preventing this attack, we also recommend additional logging and investigations to determine specific cookie theft types of behaviors and activities that can be alerted on and responded to.

1. Investigate suspicious behavior such as IP address, Geo-location, time of day, and other unusual patterns and have it elevated the user’s risk level.

2. Look for additional follow-on attacks, for example BEC cases or recent modifications of your environment.

3. Review other usage and security alerts for that flagged user.

4. Cookie session theft alerting (If capable)

This article provides examples and additional details on the alerts.

The Cookie Bite attack serves as a critical reminder that even well-established authentication systems like Microsoft Entra ID are not immune to exploitation. While this isn’t a new vulnerability, the demonstration by Varonis researchers clearly shows that existing authentication cookies can be stolen and abused to bypass MFA, hijack sessions, and gain persistent access to sensitive Microsoft 365 resources.

At HadenGrey, we recognize that relying solely on reactive detection is not enough. That’s why we’ve taken a proactive approach to validate the PoC and identify a range of mitigation strategies—going beyond what’s currently available in the public domain. By implementing layered controls across browsers, scripting environments, conditional access policies, and endpoint alerting, organizations can significantly reduce their exposure to cookie-based attacks.

While Microsoft may take time to address the broader implications of this issue, security teams don’t have to wait. The steps outlined above offer practical, actionable defenses to help protect against the Cookie Bite attack now—while strengthening your overall identity and access security posture for the future.