Chrome Extensions Exploited to Bypass MFA and Compromise Microsoft Cloud Services
SEVERITY: HIGH
Date: April 26, 2025
Advisory ID: CVB-2025-0426
EXECUTIVE SUMMARY
A sophisticated attack technique dubbed "Cookie-Bite" has been discovered that leverages malicious Chrome extensions to steal session cookies from Azure Entra ID. This attack effectively bypasses multi-factor authentication (MFA)protections and enables unauthorized access to Microsoft cloud services including M365, Outlook, and Teams. Organizations using Azure Entra ID for authentication should take immediate action to protect their environments.
THREAT DETAILS
Attack Method
The Cookie-Bite attack operates through specially crafted malicious Chrome extensions that:
1. Target and exfiltrate critical Azure Entra ID authentication cookies:
- ESTSAUTHPERSISTENT - Created when users select "Stay signed in"
- ESTSAUTH - Indicates successful MFA completion
2. Use these stolen cookies to impersonate legitimate users without triggering additional authentication challenges
3. Maintain persistent access to cloud resources even after the initial compromise
Affected Systems
- Browsers: Google Chrome and Chrome-based browsers
- Authentication: Microsoft Azure Entra ID
- Services: Microsoft 365, Outlook, Teams, SharePoint, OneDrive, and other Azure Entra ID-protected services.
Business Impact
Successful exploitation allows attackers to:
- Access sensitive corporate communications and documents
- Circumvent MFA security controls
- Maintain persistent access to cloud environments
- Execute data exfiltration operations with legitimate credentials
- Potentially move laterally within cloud environments
DETECTION GUIDANCE
Monitor for these indicators of compromise:
- Unauthorized Chrome extensions with suspicious permission requests, particularly:
- Access to cookies or all site data
- Network access permissions
- Anomalous authentication patterns:
- Sessions established without MFA prompts when MFA is required
- Logins from unusual geographic locations or IP addresses
- Multiple simultaneous active sessions for a single user
- Access to services outside typical usage patterns
- Network traffic anomalies:
- Connections to unknown domains from Chrome
- Unusual data transfer patterns involving authentication cookies
MITIGATION STEPS
Immediate Actions
1. Enforce browser extension policies
- Deploy organizational policies to restrict extension installation
- Allow only pre-approved extensions from authorized sources
- Consider blocklisting extensions requesting cookie access
2. Implement session security controls
- Reduce session timeout values for Azure Entra ID
- Disable "Stay signed in" functionality where possible
- Force re-authentication for sensitive operations
3. Audit active sessions
- Review and terminate suspicious existing sessions in Azure Entra ID
- Reset credentials for potentially compromised accounts
Strategic Recommendations
1. Enhance authentication architecture
- Implement conditional access policies with device compliance requirements
- Consider FIDO2 security keys for critical accounts
- Evaluate browser isolation technologies for high-risk users.
2. Improve monitoring and response
- Configure alerts for cookie theft indicators
- Develop playbooks for responding to session hijacking attempts
- Implement advanced threat analytics to detect anomalous access patterns
3. User awareness and training
- Educate users about extension security risks
- Encourage regular browser security hygiene
- Establish clear procedures for reporting suspicious activities
TECHNICAL DETAILS
The Cookie-Bite attack exploits the trust relationship between browsers and cloud services. When a user authenticates to Azure Entra ID with MFA, the service creates session cookies that maintain the authenticated state. By targeting these specific cookies, attackers bypass the need to possess the victim's password or MFA device.
This attack is particularly concerning because:
1. It occurs after legitimate authentication, avoiding suspicious login attempts.
2. It maintains functionality even if the victim's password is changed.
3. Standard MFA solutions cannot detect cookie theft or reuse.
.png)
.png)