Cookie-Bite attack PoC uses Chrome extension to steal session tokens

A proof-of-concept attack called "Cookie-Bite" uses a browser extension to steal browser session cookies from Azure Entra ID to bypass multi-factor authentication (MFA) protections and maintain access to cloud services like Microsoft 365, Outlook, and Teams. The attack was devised by Varonis security researchers, who shared a proof-of-concept (PoC) method involving a malicious and a legitimate Chrome extension. However, stealing session cookies is not novel, as infostealers and adversary-in-the-middle phishing attacks commonly target them. While Cookie-Bite isn't an entirely new concept, it's still noteworthy for its stealth and persistence. Cookie extension attack The Cookie-Bite attack consists of a malicious Chrome extension that acts as an infostealer, targeting the 'ESTAUTH' and 'ESTSAUTHPERSISTNT' cookies in Azure Entra ID, Microsoft's cloud-based identity and access management (IAM) service. ESTAUTH is a transient session token that indicates that the user is authenticated ... Read full article.