BP-029 Browser Session Cookie Theft (Session Hijack via Local Compromise)
Session hijacking through local device compromise represents one of the fastest-growing identity intrusion vectors in modern cloud security. Attackers steal authenticated browser cookies to bypass MFA entirely.
Understanding the Attack Vector
How Attackers Steal Cookies
Adversaries deploy infostealer malware like RedLine, Raccoon, MetaStealer, and Vidar to extract browser session cookies directly from compromised endpoints. Malicious browser extensions, credential-harvesting trojans, and memory scraping tools enable silent exfiltration of active authenticated sessions.
These stolen cookies contain fully validated cloud sessions, allowing attackers to impersonate users with zero credentials, zero MFA prompts, and zero login events triggering security alerts.
Why This Attack Succeeds
Browser cookies stored in unencrypted local storage, synced across devices through browser profiles, and often persisting beyond password reset events create ideal conditions for session hijacking. Attackers inherit fully validated Conditional Access policies, making detection extremely challenging.
Session cookies frequently outlive credential changes, providing attackers with persistent access even after incident response teams force password resets across the organization.
Attacker Objectives and Tactics
Session Hijacking
Steal and replay authenticated browser cookies to impersonate legitimate users without triggering authentication events or MFA challenges.
Admin Console Access
Target high-value accounts to access Azure Portal, AWS Console, GCP Console, and SaaS admin panels with inherited privileges.
Privilege Escalation
Leverage inherited identity permissions to perform high-privilege actions, modify security policies, and establish persistence mechanisms.
Conditional Access Bypass
Bypass all security controls by inheriting pre-validated sessions that already passed location, device compliance, and risk-based policies.
Browser cookies stored without encryption in local storage. Session lifetimes extended beyond secure boundaries. No device binding or session validation enforcement across geography changes.
2
MC-132: Weak Endpoint Security Posture
Unmanaged or infected endpoints lack EDR protection. Infostealer malware executes without detection. No browser isolation or credential guard policies deployed.
3
MC-201: Over-Permissioned OAuth Applications
Stolen cookies provide excessive API access when tied to elevated OAuth scopes. Applications granted unnecessary permissions amplify impact of session hijacking.
4
MC-233: Legacy Authentication Allowance
Fallback authentication paths enable privilege chaining. Legacy protocols bypass modern security controls, creating additional attack surface for stolen sessions.
Infostealer malware harvests browser cookies containing active authenticated sessions from compromised endpoint storage.
2
Stage 4: Authentication Abuse
Stolen cookies replayed to cloud services, bypassing MFA and Conditional Access policies through inherited validation state.
3
Stage 6: Session Hijack
Attacker impersonates legitimate user with full session privileges, accessing admin portals and sensitive resources undetected.
4
Stage 8: Identity Persistence
Long-lived cookies enable sustained access across devices and geography, surviving password resets and security interventions.
Threat Actor Attribution
ICTAM-010: Scattered Spider
Elite social engineering operators specializing in browser cookie theft campaigns targeting cloud administration sessions. Known for sophisticated MFA bypass techniques through session hijacking.
ICTAM-011: Lapsus$
Prolific threat group that relied heavily on stolen browser cookies to compromise major technology companies and cloud service providers.
ICTAM-030: Stealer Ecosystem
Underground marketplaces trading stolen session cookies at scale. Automated infostealer distribution networks feeding credential marketplaces globally.
ICTAM-020: RaaS Affiliates
Ransomware-as-a-Service operators purchasing stolen cookies to access cloud admin consoles, deploy ransomware, and exfiltrate sensitive data.
Multi-factor authentication rendered ineffective when attackers inherit pre-validated sessions through stolen browser cookies, bypassing all authentication controls.
ETS-009: Privileged Session Hijack
Administrative session compromise leads to automated data exfiltration, privilege escalation, and persistent backdoor establishment across cloud infrastructure.