‘Cookie Bite’ Entra ID attack exposes Microsoft 365

Attackers could exploit two key authentication cookies used by Azure Entra ID to bypass MFA and hijack legitimate user sessions — thus gaining persistent access to Entra ID-protected resources in Microsoft 365 like Outlook and Teams. From there, they could engage in a range of malicious activities, including reconnaissance and privilege escalation that can lead to cyberattacks on the system.

Researchers at Varonis Threat Labs identified the new attack vector, dubbed “Cookie Bite,” which exploits ESTSAUTH and ESTSAUTHPERSISTENT, two critical authentication cookies used by Azure Entra ID for maintaining authenticated cloud sessions and allowing access to cloud resources, they revealed in a report.

Read more at Dark Reading