Researchers at Varonis Threat Labs have uncovered an intricate method allowing cyber attackers to get around multi-factor authentication (MFA) and gain lasting access to enterprise cloud environments. By exploiting browser cookies, attackers can completely evade traditional security measures and remain undetected. This research, revealed in April, highlights the growing sophistication of session hijacking techniques, combining browser extensions and scripts to steal authentication tokens. It underscores a troubling evolution, indicating that even advanced security setups like MFA may be insufficient against such intricate attacks.
The Core Mechanics of Cookie-Based Attacks
At the heart of this attack are stolen session cookies, small pieces of data stored in a user’s browser to confirm previous authentication, including MFA. Once these cookies are captured, attackers can impersonate actual users, gaining undetected access to services like Microsoft 365, Google Workspace, and Amazon Web Services (AWS). This method bypasses security alerts, making it exceptionally dangerous.
Varonis researchers have demonstrated a proof-of-concept: a custom Chrome browser extension paired with PowerShell scripts to extract Azure Entra ID session cookies. Identified as ESTSAUTH and ESTSAUTHPERSISTENT, these cookies are obtained anytime a user logs into Microsoft’s authentication portal. After being extracted and inserted into an attacker’s browser, these cookies grant immediate access to the victim’s cloud services, effectively bypassing MFA prompts. The malicious extension operates by monitoring login events to domains such as login.microsoftonline.com, capturing authentication cookies in real time, and uploading them to an attacker-controlled endpoint like a Google Form. This stealthy approach circumvents typical malware behaviors, making endpoint detection exceedingly challenging.
Advanced Techniques and Marketplace for Stolen Data
On Windows systems, cookies are encrypted using the Data Protection API (DPAPI), which ties encryption keys to user profiles and specific machines. However, infostealers can exploit decrypted cookies stored in the process memory or extract encryption keys depending on their access level. Capturing these cookies may involve adversary-in-the-middle (AITM) attacks using reverse proxy tools and malicious extensions requesting high-level permissions to access session data directly. Stolen session data is circulated within a Malware-as-a-Service (MaaS) ecosystem. Infostealers distribute malware widely to collect credentials, tokens, and cookies, which are then sold on darknet markets to buyers such as ransomware operators and initial access brokers. Particularly, cookies that provide access to enterprise applications are highly valued. Hijacked session tokens from services like Microsoft 365 or Google Workspace can expose internal emails, cloud storage, and critical business applications. Azure Entra ID tokens offer significant appeal due to their capability to grant long-term access without reauthentication, even across browser sessions.
Within a compromised environment, attackers can manipulate existing enterprise applications, using tools like TokenSmith, ROADtools, and AADInternals. These utilities allow for the manipulation of tokens, escalating access, or pivoting across services within the tenant. Although Conditional Access Policies (CAPs) can block unauthorized login attempts based on location or device compliance, they are not foolproof. Varonis demonstrated that attackers could emulate a victim’s typical environment to bypass CAP restrictions.
Mitigation Strategies and the Future of Attack Prevention
Researchers at Varonis Threat Labs have discovered an intricate method that cyber attackers use to bypass multi-factor authentication (MFA) and gain persistent access to enterprise cloud environments. This method involves the exploitation of browser cookies, allowing attackers to completely evade conventional security defenses and remain unnoticed. The research, which was unveiled in April, sheds light on the increasing sophistication of session hijacking techniques. These techniques involve the use of browser extensions and scripts to steal authentication tokens, enabling cybercriminals to maintain prolonged access to secure systems. The findings emphasize a concerning progression in cyber attack strategies, suggesting that even advanced security measures like MFA might not be sufficient to protect against these crafty techniques. As cyber threats continue to evolve, it becomes evident that organizations must continually adapt their security protocols to stay ahead of potential breaches. This research serves as a crucial reminder of the need for constant vigilance and reassessment of security frameworks to protect sensitive data in enterprise cloud environments.