MixMode Threat Research is a dedicated contributor to MixMode.ai’s blog, offering insights into the latest advancements and trends in cybersecurity. Their posts analyze emerging threats and deliver actionable intelligence for proactive digital defense.
The Cookie-Bite attack is an advanced evolution of Pass-the-Cookie exploits. This tactic bypasses Multi-Factor Authentication (MFA) by leveraging stolen authentication cookies—such as Azure Entra ID’s ESTSAUTH and ESTSAUTHPERSISTENT—to impersonate users. By hijacking active sessions without needing credentials or MFA, attackers gain access to cloud services like Microsoft 365 and Azure, posing serious risks to enterprise environments.
This attack has become increasingly accessible via darknet tools like EvilProxy and has already been used in high-profile breaches such as the Uber compromise.
How Cookie-Bite Attacks Work
Attackers typically steal cookies using malicious Chrome extensions, infostealer malware, or phishing tools like Evilginx (an Adversary-in-the-Middle proxy). These cookies are then injected into the attacker’s browser, effectively taking over the victim’s session. Because authentication cookies are trusted by cloud services, no additional login or MFA is required.
Persistent cookies—often created when users select options like “Keep Me Signed In”—can remain valid for up to 90 days. Attackers can maintain long-term access by continuously extracting new cookies, even if passwords are changed. By mimicking legitimate attributes like IP addresses and browser settings, they can often bypass Conditional Access Policies undetected.
Real-World Impact and Risks
Cookie-Bite attacks allow threat actors to:
- Access sensitive emails, documents, and APIs (like Microsoft Graph)
- Escalate privileges using misconfigured roles
- Execute unauthorized transactions or deploy ransomware
Because attackers mimic real user behavior, these incidents frequently go unnoticed by traditional antivirus and endpoint detection tools.
Indicators of Compromise (IOCs)
Watch for:
- Unusual logins from unfamiliar IPs, devices, or locations
- Unauthorized browser extensions or modified Chrome settings
- Outbound cookie exfiltration to suspicious servers
- Abnormal activity via Microsoft Graph API or OAuth tokens
- PowerShell scripts interacting with browser data
Legacy Detection Strategies
Traditional approaches include:
- SIEM rule creation for detecting anomalous sign-ins or cookie theft
- EDR scanning for suspicious PowerShell or browser activity
- Correlating Azure Entra ID logs with network data to detect token misuse
But legacy tools often rely on static rules and known signatures, making them ineffective against stealthy and zero-day attacks like Cookie-Bite.
Enhancing Detection with MixMode and Third-Wave AI
MixMode’s Third-Wave AI platform delivers real-time, self-supervised detection by establishing dynamic behavioral baselines—without relying on predefined rules or human tuning.
Monitoring Microsoft Graph API
- Anomaly Detection: MixMode tracks API usage patterns, including excessive Graph API requests or unusual SharePoint access, to detect session hijacking.
- Correlation with IOCs: MixMode connects Graph API activity to IOCs such as unauthorized OAuth tokens, suspicious IPs, or SAML forgery indicators (e.g.,
UserAuthenticationMethod 16457). - Real-Time Alerts: Integration with Microsoft 365 logs and Azure Entra ID enables prompt alerts when anomalies are detected.
Dynamic IOC Generation and Management
MixMode provides:
- AI-Generated IOCs: It identifies novel threats (e.g., cookie exfiltration, Graph API abuse) and produces IOCs like IPs, domains, and hashes—automatically updating as the threat landscape evolves.
- Integration with Existing Tools: MixMode shares and ingests IOCs from sources like Microsoft Defender, open-source feeds, and integrates with SIEMs like Splunk or EDR tools such as ThreatLocker.
- Prioritization and Context: IOCs are scored for risk and tied to specific events (e.g., cookie theft or PowerShell abuse), giving analysts clear, actionable insights.
- Full IOC Coverage
- Network-Based: Outbound traffic to known C2 servers, strange API endpoints
- Host-Based: Unauthorized extensions, malicious scripts
- Cloud-Based: OAuth misuse, suspicious Graph API activity, changes in service principals
Why Third-Wave AI Outperforms Legacy Tools
- No Static Rules: MixMode detects novel, AI-generated, and zero-day threats without prior knowledge.
- Fewer False Positives: With contextual baselining, MixMode cuts false positives by up to 90%.
- Scalable Across Environments: It integrates data from both cloud and on-prem systems for a unified threat view.
Example Detection in Action
MixMode might flag a spike in Graph API requests from a compromised session accessing SharePoint from an unfamiliar IP. This event could be tied to a stolen ESTSAUTHPERSISTENT cookie. MixMode then alerts analysts and initiates guided responses—such as isolating impacted devices or revoking session tokens—via integration with SOAR platforms.
Staying Ahead of Session Hijacking with AI-Driven Defense
As cookie-based attacks like Cookie-Bite continue to evolve, traditional tools alone can’t keep up. Enterprises need adaptive, intelligent systems that can detect the subtle, behavioral clues of a breach, before damage is done. MixMode’s Third-Wave AI delivers that edge, offering real-time anomaly detection, dynamic IOC generation, and seamless integration with modern security ecosystems. In a world where stolen sessions can bypass MFA and masquerade as legitimate users, proactive defense isn’t optional—it’s essential.