Full Report
A proof-of-concept attack called "Cookie-Bite" uses a browser extension to steal browser session cookies from Azure Entra ID to bypass multi-factor authentication (MFA) protections and maintain access to cloud services like Microsoft 365, Outlook, and Teams. [...]
Analysis Summary
# Tool/Technique: Cookie-Bite Attack (PoC)
## Overview
The Cookie-Bite attack is a proof-of-concept (PoC) technique that leverages a malicious Google Chrome extension to steal valid Microsoft session tokens (cookies) from targeted users, specifically targeting `login.microsoftonline.com`. This allows an attacker, after stealing the cookie, to inject it into their own browser session to gain full authenticated access to Microsoft services, effectively bypassing Multi-Factor Authentication (MFA).
## Technical Details
- Type: Technique/Attack Chain (Leveraging a malicious *tool* - a Chrome Extension)
- Platform: Google Chrome Browser (Windows context described for persistence mechanism)
- Capabilities: Session hijacking, token theft, credential bypass.
- First Seen: The context implies a recent PoC demonstration by Varonis researchers.
## MITRE ATT&CK Mapping
The primary focus is on credential access and defense evasion through non-traditional means (browser extensions).
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Browser Session
- **TA0005 - Defense Evasion**
- T1216 - Drive-by Compromise (Implied if the extension is tricked into installation)
## Functionality
### Core Capabilities
- **Token Exfiltration**: The malicious Chrome extension monitors browser activity specifically for logins to `login.microsoftonline.com`. Upon detection, it reads, filters, and extracts specific session tokens from the cookies.
- **Data Transfer**: The stolen cookie JSON data is exfiltrated to the attacker via a Google Form.
- **Session Re-injection**: Stolen cookies can be injected back into a target session using tools like the legitimate **Cookie-Editor** Chrome extension. This re-establishes an authenticated session under the victim's credentials.
### Advanced Features
- **Evasion**: The custom extension, when packed as a CRX file and scanned via VirusTotal, was reportedly not detected by security vendors at the time of the report.
- **Persistence (Windows Context)**: If the attacker gains device access, a PowerShell script executed via the Windows Task Scheduler can automate the re-injection of the unsigned extension into Chrome every time the browser is launched using Developer Mode.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: Cookies associated with `login.microsoftonline.com`. Manifest/contents of the malicious Chrome extension (details not provided).
- Registry Keys: [Not provided in the context]
- Network Indicators: Exfiltration occurs via a **Google Form** submission (attacker controlled endpoint).
- Behavioral Indicators: Reading cookies scoped to `login.microsoftonline.com`; unusual activity detected on Microsoft endpoints showing log-ins originating from environments flagged as "atRisk" due to VPN usage.
## Associated Threat Actors
- The PoC was demonstrated by **Varonis** researchers, indicating a discovered vulnerability/technique, rather than specific threat actors using it yet.
## Detection Methods
- **Signature-based detection**: Low effectiveness noted if the extension is new/custom (as seen by VirusTotal results).
- **Behavioral detection**: Monitoring for browser extensions with broad permissions reading cookies from highly sensitive domains (`login.microsoftonline.com`). Monitoring for unusual session activity flagged as "atRisk" (e.g., logins from unusual geographies or flagged via risky sign-in detection).
- **YARA rules**: [Not provided in the context]
## Mitigation Strategies
- **Browser Hardening**: Enforce Chrome ADMX policies to:
1. Allow only pre-approved extensions to run.
2. Block users from accessing or utilizing the browser's **Developer Mode**.
- **Conditional Access**: Enforce Conditional Access Policies (CAPs) within Azure AD to limit legitimate logins to specific trusted IP ranges and devices.
- **Monitoring**: Actively monitor for abnormal sign-ins, especially those flagged as "atRisk" or originating from suspicious contexts (like VPNs in this demonstration).
## Related Tools/Techniques
- **Cookie-Editor (Chrome Extension)**: Legitimate tool observed being used to inject stolen cookies.
- **TokenSmith, ROADtools, AADInternals**: Tools mentioned in the context that threat actors might use *after* session hijacking to perform further reconnaissance or lateral movement within the compromised Microsoft ecosystem.