Azure Authentication Cookies: How They Work and Why They Matter

Azure authentication cookies are essential for maintaining secure, continuous user sessions after a successful sign-in via Azure Active Directory. These cookies contain tokens that authenticate a user’s identity without repeatedly prompting for credentials. While they enhance user experience, they also present security risks if intercepted or misused. Attackers can exploit stolen cookies through session hijacking, bypassing MFA and gaining unauthorized access. To secure Azure environments, organizations should enable conditional access, use secure cookie flags (HttpOnly, Secure), implement session expiration, and monitor user activity for anomalies. Strong session management is critical for balancing usability and protection in cloud-based authentication systems.

“Cookie Bite” Entra ID Attack Exposes Microsoft 365

“Cookie Bite” Entra ID Attack Exposes Microsoft 365: A Critical Cloud Security Wake-Up Call

Ravi Jain
“Cookie Bite” attack, a novel method where malicious browser extensions steal authentication cookies like ESTSAUTH and ESTSAUTHPERSISTENT from users of Microsoft 365 and Azure Entra ID. By leveraging these cookies, attackers can bypass Multi-Factor Authentication (MFA) and hijack legitimate sessions, gaining unauthorized access to services like Outlook, Teams, and SharePoint. This attack is particularly dangerous because it operates within the browser and does not require system-level compromise, making it difficult to detect through traditional security measures. The article highlights the risks of this attack, including data exfiltration and internal impersonation, and outlines mitigation strategies such as monitoring risk-based sign-ins, implementing browser-level protections, and limiting session persistence. It also introduces Technijian's security services as a solution to protect against this and similar threats. ... Read More