Do Son 
In a recent study conducted by specialists at Varonis, researchers revealed a subtle yet highly effective method of bypassing multi-factor authentication (MFA) through a malicious Chrome extension. The attack, dubbed Cookie-Bite, leverages browser extension capabilities to steal session cookies and gain unauthorized access to corporate Microsoft cloud services — including Microsoft 365, Outlook, and Teams.
The essence of the technique lies in intercepting two specific cookies used by Azure Entra ID’s identity service. The temporary token ESTAUTH, valid for up to 24 hours, confirms successful authentication and MFA. Its more persistent counterpart, ESTSAUTHPERSISTENT, tied to the “Keep Me Signed In” (KMSI) policy, can maintain access for up to 90 days. Both tokens serve as virtual keys to the user’s account — and if compromised, render MFA protections effectively useless.
The attack mechanism operates silently via an extension that activates when a user opens a Microsoft URL. It extracts cookies from the login.microsoftonline.com domain and exfiltrates them as JSON data through a Google Form. Alarmingly, the extension can be packaged into a .crx file and deployed via a PowerShell script, triggering automatic execution each time the browser launches in Developer Mode.
What is particularly concerning is that an analysis on VirusTotal yielded zero detections by antivirus solutions — highlighting a critical blind spot in current security tools. Once in possession of the stolen cookies, the attacker can import the tokens into their own browser using tools such as Cookie-Editor. Upon refreshing the page, Azure treats the session as fully authenticated, granting the attacker identical privileges to those of the victim.
This opens the door to a broad range of malicious actions: viewing and downloading emails, impersonating the user in Teams conversations, or exploring roles and devices via Graph Explorer. Armed with advanced tools like TokenSmith, ROADtools, and AADInternals, an attacker can escalate privileges, move laterally across the infrastructure, and even register new applications under the compromised account.
During the demonstration of this attack, Microsoft flagged login attempts as suspicious due to VPN usage — underscoring the importance of monitoring anomalous behavior. As countermeasures, experts recommend strictly limiting the list of permitted extensions via Chrome’s ADMX policies, blocking access to Developer Mode, and enforcing conditional access policies to restrict logins to trusted IPs and devices.
Such incidents reinforce the findings of a recent LayerX report, which states that 99% of enterprise users employ browser extensions, with more than half of those having access to sensitive information, including cookies and page content.
Particularly troubling is the prevalence of extensions installed outside official marketplaces, often attributed to anonymous Gmail accounts. These revelations underscore the urgent need for stringent control over even the most seemingly benign and routine elements of corporate browser environments.
