Home
HomeGlossaryWeb Session Cookie Theft

Web Session Cookie Theft

MITRE ATTACK layer: Credential Access

ON THIS PAGE

Unlock 442% ROI*

Control all your endpoints in a single platform.

4.6/5
Book a Demo

*Return on investment over three years as per the Total Economic Impact™ (TEI) study by Forrester

Web session cookie theft is the act of stealing active authentication cookies from a user's browser to impersonate them or resume their logged in session without knowing their password. The attacker doesn't authenticate, they inherit "trust" that was already granted.

How is Web Session Cookie Theft abused

Attackers mainly use infostealer malware or malicious browser extensions to extract cookies from browsers. More advanced campaigns use phishing proxy tools to capture cookies after MFA is completed, then replay the session immediately.

Why Web Session Cookie Theft matters

This attack bypasses passwords and MFA entirely and often produces no login alerts. Security logs show a 'normal' session, making detection difficult while attackers quietly take over accounts and move laterally.

Real-world example

Cookie-Bite' Attack on Azure Entra ID (2025)

In mid-2025, a technique dubbed Cookie-Bite was identified where a malicious extension steals session cookies from Azure Entra ID (Microsoft identity). It bypassed MFA and granted persistent access to services like Microsoft 365, Outlook, Teams, SharePoint and OneDrive simply by replaying those cookies. Security controls were technically working, but irrelevant, because the attacker never re-authenticated. One of the critical consequences was that a persistent cookie’s 90-day validity meant that one theft can yield months of control.

Source

Get the full attack repository

Get our entire attack repository in a single, offline-ready PDF guide, featuring 25+ real-world attacks.

Please enter a valid email.Please enter a email.
By clicking 'Download EBOOK', you agree to processing of personal data according to the Privacy Policy.

Related topics

Credential Access
Man-in-the-Middle Attack
Read more
Credential Access
Cross-Site Scripting
Read more
Credential Access
Phishing
Read more

Additional Resources

Research
Achieve 442% ROI and reduce patching time by 95% — Forrester TEI Report

See how organizations gained 442% ROI and major efficiency improvements with Endpoint Central.

Read more
Security validation
Experience enterprise-grade protection proven in real-world tests — AV-Comparatives Report

Discover how Endpoint Central’s antivirus earned recognition through rigorous, real-world security validation in just eight months.

Read more
Guide
Simplify endpoint security and build cyber resilience — Endpoint Security For Dummies

Get a clear, practical guide to understanding threats and strengthening your organization’s security.

Read more

Trusted by

Unified Endpoint Management and Security Solution
Patch ManagementSoftware DeploymentEndpoint SecurityOS DeploymentAsset ManagementMobile Device MgmtTools & Configurations