this post was submitted on 22 Apr 2025
5 points (85.7% liked)

Pulse of Truth

921 readers
46 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 2 years ago
MODERATORS
[email protected]
5
'Cookie Bite' Entra ID Attack Exposes Microsoft 365 (www.darkreading.com)
submitted 4 days ago by [email protected] to c/[email protected]
3 comments fedilink hide all child comments
 

A proof-of-concept (PoC) attack vector exploits two Azure authentication tokens from within a browser, giving threat actors persistent access to key cloud services, including Microsoft 365 applications.

top 3 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 4 days ago* (last edited 4 days ago) (1 children)

What a clickbait title. It notably does not provide persistance beyond the length of the session they steal the auth for. So max of 90 days but only in an environment that allows the "keep me signed in" checkbox with the longest time allowance. Don't be a dummy with your settings. No methods given to pivot directly to longer persistance, just some vague situational hypotheticals.

This is nothing new. The Varonis page linked to by this article is an educational proof of concept guide to how an attacker could leverage a number of things that have existed for a while, showing just how far an attacker can get if they manage to snag the session cookie for an authenticated Azure (or other cloud service) session.

It includes some example code for a cookie stealer chrome extension, PowerShell code for temporarily deploying said extension to a local Chrome install, links some tools, and provides instructions on how to pivot the session cookie into other info and the actual session and refresh tokens.

[–] [email protected] 1 points 4 days ago (1 children)

Is this attack unique to Microsoft entra ID? Can this not be used to steal auth cookies for any web app which uses such a mechanism?

[–] [email protected] 1 points 3 days ago* (last edited 3 days ago)

Not at all, you're absolutely right. In the Varonis article this clickbaity one references, they list out the corresponding session cookies for Google's cloud platform and AWS as well.