Pass-the-Cookie

A surge in “Pass-the-Cookie” (PTC) attacks is undermining multi-factor authentication (MFA), enabling cybercriminals to hijack session cookies and bypass security measures to access sensitive accounts.

Recent advisories from the FBI and cybersecurity firms highlight how attackers exploit stolen browser cookies small data files that authenticate users—to impersonate victims, even when MFA is enabled.

This method, which has targeted platforms like Microsoft 365, YouTube, and financial services, exposes critical gaps in relying solely on MFA for identity verification.

Google News

Pass-the-Cookie attacks exploit session cookies generated after users log into applications. These cookies, such as Microsoft’s ESTSAUTH, store authentication tokens and allow seamless access without repeated logins.

Microsoft 365

Threat actors steal these tokens using malware like LummaC2 or Redline, often distributed through phishing campaigns disguised as software updates or collaboration offers.

Once extracted, cookies are injected into attackers’ browsers, granting immediate access to accounts no passwords or MFA challenges required.

For example, a compromised ESTSAUTH cookie lets attackers log into Microsoft 365 from unrelated devices.

ESAUTH

Cybersecurity firm Longwall Security demonstrated this by copying a cookie from a corporate Windows device into a clean Ubuntu-Firefox setup, gaining full access without triggering MFA.

Similarly, Google’s Threat Analysis Group observed attackers targeting YouTube creators with fake collaboration offers, leading to malware that exfiltrates cookies to hijack channels.

Why MFA Alone Isn’t Enough

MFA’s reliance on session cookies creates a vulnerability window. By default, Microsoft 365 sessions persist for 1–24 hours, while other platforms retain cookies indefinitely if users select “Remember this device.”

Attackers exploit this by stealing cookies during active sessions or using infostealers to harvest them from infected devices.

Notably, 72% of PTC attacks detected by Obsidian Security targeted SaaS applications beyond identity providers, including email and cloud storage.

Even “phishing-resistant” MFA methods, such as hardware keys, are vulnerable if users access accounts on unsecured devices.

In one case, attackers compromised a Yubikey-protected Microsoft account via a personal laptop lacking endpoint security, ultimately transferring $530,000 to fraudulent accounts.

The FBI’s Atlanta Division has urged organizations to adopt phishing-resistant MFA, such as passkeys, which use cryptographic keys instead of cookies.

Microsoft and Okta recommend reducing session durations and enforcing conditional access policies, such as device compliance checks.

For instance, limiting sessions to 1 hour and revoking cookies during password resets can curb persistent access. Cybersecurity teams are also prioritizing session monitoring.

Obsidian’s platform flags anomalies like logins from Tor networks or mismatched browser fingerprints, while Microsoft’s Azure AD logs now highlight cookie-based authentications for faster detection.

Additionally, continuous access evaluation tools revalidate sessions in real time, terminating suspicious activity.

Mitigating the Threat

To defend against PTC attacks, experts recommend:

  1. Shortening Session Lifespans: Enforce session timeouts (e.g., 15 minutes for high-risk apps) and disable “persistent” cookies.
  2. Securing Cookies: Mark cookies as Secure and HttpOnly to prevent JavaScript exfiltration.
  3. Adopting Passkeys: Replace password-based logins with FIDO2 passkeys, which bind authentication to specific devices and eliminate cookie dependencies.
  4. Restricting Device Access: Use MDM solutions like Intune to block unauthorized devices and enforce patch compliance.
  5. Educating Users: Train employees to avoid suspicious links and log out of sessions explicitly rather than closing browsers.

As Pass-the-Cookie attacks escalate, organizations must recognize MFA as one layer in a broader defense strategy.

By integrating shorter sessions, stricter device policies, and phishing-resistant authentication, businesses can mitigate risks while maintaining user productivity. For individuals, vigilance against unsolicited collaboration offers and consistent log-out habits remain critical.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Guru Baran
Guru Baran
https://cybersecuritynews.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.
Facebook Linkedin