A newly documented proof-of-concept attack named “Cookie-Bite” demonstrates how malicious Chrome extensions can hijack browser session cookies from Azure Entra ID, bypassing multi-factor authentication (MFA) and maintaining persistent access to Microsoft 365 services. The attack, which leverages PowerShell for persistence and Google Forms for exfiltration, was undetected by all 60 security vendors on VirusTotal at the time of discovery1.
Attack Mechanics and Impact
The Cookie-Bite attack targets Azure Entra ID session cookies (ESTAUTH and ESTSAUTHPERSISTENT), which remain valid even after MFA completion. The malicious extension monitors login events to Microsoft services, then uses a PowerShell script to reinject stolen cookies automatically. This allows attackers to maintain access even if the victim changes their password2.
Dark Reading’s analysis confirms the attack enables lateral movement within cloud environments, with potential for data theft and privilege escalation3. The technique aligns with MITRE ATT&CK’s T1539 (“Steal Web Session Cookie”), previously seen in APT42 and DarkGate campaigns4.
Limitations of Current Defenses
Traditional cookie security measures prove ineffective against this attack vector:
- Signed Cookies: Cryptographic integrity checks prevent tampering but don’t block theft
- One-Time Cookies: Extensions can disable OTC headers before transmission
- Token Binding: TLS-bound cookies remain vulnerable to extension-based theft
The proposed CREAM framework (BrowserOnly and Monitored attributes) shows promise in blocking JavaScript/extension access while logging unauthorized changes5.
Mitigation Strategies
For organizations using Azure Entra ID, immediate actions include:
| Control Type | Implementation |
|---|---|
| Technical | Enforce Chrome ADMX policies to restrict extension installations |
| Monitoring | Audit chrome.cookies API usage and anomalous sign-ins |
| Architectural | Implement conditional access policies binding sessions to trusted devices |
Individual users should avoid “Stay Signed In” options for critical accounts and regularly review installed extensions6.
Broader Implications
The attack methodology could be adapted to target AWS, Google Workspace, or Okta environments. With 35% of analyzed Chrome extensions having broad cookie-access permissions7, this vector presents a growing threat surface.
As Google phases out Manifest V2 extensions, organizations should inventory legacy extensions and transition to v3-compliant alternatives8.
Conclusion
The Cookie-Bite attack highlights fundamental weaknesses in browser-based authentication models. While temporary mitigations exist, long-term solutions require architectural changes like Device-Bound Session Cookies (DBSC) or CREAM implementation. Organizations should prioritize monitoring extension activity and consider disabling developer mode in enterprise Chrome deployments.
References
- “Cookie-Bite Attack PoC Uses Chrome Extension to Steal Session Tokens,” BleepingComputer, Apr. 22, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/cookie-bite-attack-poc-uses-chrome-extension-to-steal-session-tokens/
- “‘Cookie Bite’ Entra ID Attack Exposes Microsoft 365,” Dark Reading, Apr. 22, 2025. [Online]. Available: https://www.darkreading.com/remote-workforce/cookie-bite-entra-id-attack-exposes-microsoft-365
- MITRE ATT&CK, “T1539: Steal Web Session Cookie.” [Online]. Available: https://attack.mitre.org/techniques/T1539/
- CREAM GitHub Repository, 2024. [Online]. Available: https://github.com/Anonymous642/Cookies_and_CREAM
- RFC 8471, “Token Binding over HTTP.” [Online]. Available: https://www.rfc-editor.org/info/rfc8471
- DBSC Proposal. [Online]. Available: https://github.com/WICG/dbsc
- “Tooltivity Extension Recommendations.” [Online]. Available: https://tooltivity.com/extensions/no-longer-supported-v2-manifest/cookie-autodelete
