Session cookie theft: The hidden risk to cloud identity security

The recent disclosure of a session cookie hijacking method, dubbed the “Cookie-Bite” attack, offers yet another reminder that malicious actors are always on the hunt for ways to bypass even robust security controls like multifactor authentication (MFA).

For enterprises heavily invested in Microsoft 365 and Entra ID, it’s a wake-up call to take a fresh look at session security, endpoint hygiene, and browser-based risks in identity-first environments.

Inside the Cookie-Bite threat

The Cookie-Bite attack vector, as reported by Varonis Threat Labs identifies how attackers could use a malicious Chrome extension and PowerShell script to steal ESTSAUTH and ESTSAUTHPERSISTENT cookies, which are issued after successful authentication and MFA validation in Microsoft Entra ID.

These cookies effectively act as digital passports, allowing access to Microsoft 365 apps like Outlook, Teams, and SharePoint. Because the attack operates at the session level and doesn’t rely on exploiting a software vulnerability or dropping malware, it can easily evade traditional detection methods.

The hidden gaps in identity security

This throws into the spotlight potential gaps in many organisations’ Zero Trust implementations. Such as:

• Session resilience
• Endpoint trust

Too often, the focus is on the front door – strong passwords, MFA, conditional access and such like – with less attention given to the access tokens and session cookies that maintain user access over time.

It’s a reminder that:

• MFA isn’t a silver bullet: Once a session is authenticated, it often remains valid for hours, or even days, unless explicitly revoked.
• Browser extensions are a blind spot: Many organisations lack policies to control what extensions users can install, opening a huge vector for credential and cookie theft.
• Session token theft is stealthy: Since attackers aren’t modifying systems or triggering malware alerts, traditional endpoint detection tools may not flag these behaviours.

Mitigating session hijacking risks

Kocho’s own technology evangelist, David Guest, spoke recently about the critical need to rethink approaches to authentication.

This threat demonstrates exactly why this is the case and provides an opportunity to reinforce some ‘best practices for identity-driven security.’

Examples of which are highlighted below.

Securing the post-authentication attack surface

The “Cookie-Bite” technique is a prime example of what’s often called post-authentication attack surface. Basically, the set of security risks that arise after a user has successfully authenticated.

As attackers become more adept at living off the land and exploiting trusted mechanisms like session cookies, organisations need to:

• Think beyond login: Identity protection must include everything that happens after MFA, including token issuance, session lifetime, and sign-out policies.
• Reinforce trust at the endpoint: Zero Trust isn’t just about users and apps; it includes evaluating device posture, browser controls, and local attack surface.
• Consider identity as a security perimeter: In modern cloud environments, traditional network boundaries fade. Session integrity and behavioural analytics become the new security checkpoints.

Attackers are always adapting, always probing for weaknesses at every point. It should therefore serve as a timely reminder that authentication alone isn’t enough to keep users and data protected. And that your identity security strategy needs to touch every part of the session lifecycle.

Ready to find out more about identity-driven security operations? Get in touch with our team today.

Key takeaways

Next steps

Like this guide? Then don’t forget to share it with your followers.