What Is Pass-the-Cookie?
(Authoritative Definition, Examples, and When It Matters)
Written by: Brenda Buckman
Published: 3/18/2026
Pass-the-cookie is a session hijacking attack where adversaries steal authenticated browser cookies to impersonate a user—bypassing multi-factor authentication entirely. The password is irrelevant. The cookie is the key.
MFA is supposed to be the safety net. You enabled it. You made your team use it. And yet, your Microsoft 365 account still got breached.
This is the reality of pass-the-cookie attacks. They don't break your MFA. They skip it.
When you authenticate to a cloud app like Microsoft 365 or Google Workspace, your browser stores a session cookie—the cookietells the application "this person already proved who they are." It's what keeps you from having to log in every 30 seconds. Pass-the-cookie attacks steal that cookie and replay it in the attacker's browser. The application sees a valid, authenticated session and lets them right in. No password required. No MFA prompt. No warning.
It's not a new concept, but it's become one of the most effective techniques adversaries use against businesses today, specifically because so much of work now lives inside cloud applications, and so many businesses have invested in MFA, thinking it closed the door.
It didn't. Not completely.
Key Takeaways
Session cookies — not passwords — are what attackers are after, because stealing one grants full access to Microsoft 365, Google Workspace, and connected SaaS apps without triggering MFA
The three-stage attack chain moves from cookie theft to silent replay to rapid escalation, with BEC fraud often following within hours of initial access
Microsoft Entra ID sign-in logs hold the most critical detection signals, including impossible travel, anonymous proxy logins, and inbox rule modifications made immediately after access
Defense requires a combination of continuous access evaluation, phishing-resistant MFA, shorter session lifespans, and a SOC that can correlate signals and revoke sessions fast
How does a pass-the-cookie attack work?
The attack has three stages, and the third one is where the real damage happens.
Stage 1: Cookie theft
Attackers get the session cookie through one of three main methods:
Infostealer malware—tools like Raccoon Stealer, RedLine, Lumma, and Vidar are designed specifically to scrape stored credentials and session cookies from browsers like Chrome, Edge, and Firefox. One phishing email, one malicious download, one compromised website—and every authenticated session on that machine is exposed.
Adversary-in-the-middle (AiTM) phishing—attackers set up a reverse proxy that sits between the victim and the real login page. The user goes through a normal-looking authentication flow (including MFA), but the proxy captures the session cookie in real time. Tools like Evilginx make this shockingly accessible to adversaries who aren't particularly sophisticated.
Cross-site scripting (XSS)—less common in modern SaaS attacks, but vulnerabilities in web apps can let attackers run scripts that extract cookie values from a user's active session.
Stage 2: Cookie replay
The attacker imports the stolen cookie into their own browser using developer tools or browser extensions. Done. That's it. Their browser now looks like the victim's authenticated session to every cloud application that trusts that cookie.
Stage 3: Access and escalation
Now they're in. From here, they can:
Read email and set up forwarding rules to exfiltrate ongoing correspondence
Search for finance-related threads to set up business email compromise (BEC) fraud
Access SharePoint or OneDrive to steal sensitive documents
Create new accounts or modify permissions to maintain persistent access
Use the compromised identity as a launchpad into connected systems
The average time from initial access to sending a fraudulent wire transfer request in a BEC attack is measured in hours. By the time your team spots something unusual, the damage may already be done.
Why pass-the-cookie attacks are so effective right now
This isn't a niche, highly technical attack. It's a mainstream technique that adversaries use precisely because it works against the security controls most businesses have already deployed.
Consider what you're up against:
MFA is table stakes—and attackers know it. Most organizations have rolled out MFA. Adversaries responded by shifting their focus from stealing passwords to stealing sessions. They didn't break MFA; they just moved one step downstream.
Infostealer malware is cheap and commoditized. You don't need to be a nation-state actor to deploy a cookie-stealing infostealer. Malware-as-a-service offerings make these tools available to anyone willing to pay a monthly subscription. The Huntress 2026 Cyber Threat Report found infostealer activity among the most common malware categories observed across managed environments.
Cloud apps make stolen sessions more valuable. Ten years ago, stealing a session cookie might have gotten you into a single web application. Today, a valid Microsoft 365 session can open email, Teams, SharePoint, OneDrive, Azure AD, and every connected SaaS integration—in one shot.
Many applications issue tokens that can remain valid for days or longer, especially when refresh tokens are in play. If you don't actively monitor for session anomalies, a stolen cookie can provide persistent, undetected access long after the initial theft.
What attackers target
Any SaaS application using cookie-based session authentication is in scope. In practice, the highest-value targets are:
Application | Why it's targeted |
Microsoft 365 | Email, Teams, SharePoint, OneDrive, Azure AD—the keys to the kingdom for most organizations |
Google Workspace | Gmail + Drive access; often connected to dozens of third-party SaaS tools |
Salesforce | Customer data, deal flow, and often a bridge to finance/legal communications |
HR and payroll systems | Direct path to fraudulent direct-deposit changes |
VPN and remote access portals | Can open the door to internal network access |
For organizations running Microsoft 365, this is your highest-risk surface. Microsoft Entra ID sign-in logs are your first line of visibility—if you're not monitoring them, you're flying blind.
How to detect pass-the-cookie attacks
The cookie is stolen silently. The replay, though, leaves tracks—if you know what to look for.
Watch for these signals in your identity provider and SIEM logs:
New device or user agent strings on an established account: a session originating from a browser fingerprint that doesn't match the user's known devices.
Sign-in from unfamiliar IP rangesor anonymous proxies: attackers often route replayed sessions through VPNs or residential proxies to avoid geolocation blocks.
Inbox rule creation immediately after login: a common post-access move; attackers set forwarding rules to route emails to an external address.
Risky sign-in alerts: Microsoft Entra ID and similar platforms flag anomalous sessions; don't ignore these.
MFA success with no corresponding device authentication: successful sign‑ins that don’t match the user’s usual device posture or compliant device list
The challenge is connecting these dots fast enough. Individual signals are easy to miss; correlation across identity, endpoint, and email logs is where detection becomes reliable. This is exactly the kind of multi-source investigation where having a 24/7 security operations center (SOC) reviewing your environment pays off.
How to prevent pass-the-cookie attacks
No single control stops this. Defense-in-depth is the honest answer.
Reduce the attack surface:
Enable continuous access evaluation (CAE) in Microsoft Entra ID to shorten session token lifespans and enforce real-time revocation
Require compliant, managed devices for access to sensitive applications—unmanaged personal devices are the most common vector for infostealer infections
Use phishing-resistant MFA methods (hardware security keys, passkeys) instead of SMS or authenticator app codes; while pass-the-cookie bypasses MFA entirely, phishing-resistant methods reduce the AiTM attack surface upstream
Detect and contain faster:
Monitor identity provider sign-in logs continuously—not just for failed logins, but for anomalous successful ones
Configure alert rules for impossible travel, new device sign-ins, and inbox rule modifications
Build a response runbook that includes session revocation as a first step, any time account compromise is suspected
Reduce the impact of a stolen cookie:
Enforce session token lifespans appropriate to your risk tolerance—shorter sessions mean a smaller window of exploitation
Use application-level access controls or the principle of least privilege so that even a valid session can't access everything without additional authorization
Train your team to recognize phishing lures; AiTM proxies depend on users entering credentials on lookalike login pages
How Huntress helps
Pass-the-cookie attacks don't announce themselves. They look like legitimate sign-ins because, technically, they are—just from someone who isn't who they claim to be.
Huntress Managed ITDR monitors Microsoft 365 environments for exactly these patterns—flagging anomalous sessions, suspicious inbox rules, unusual sign-in behavior, and other identity-based indicators of compromise that point to a stolen session before the breach escalates into a business email compromise fraud, a data leak, or a ransomware deployment.
And when something fires, our SOC analysts investigate. You don't get an alert and a shrug. You get a clear answer: this is what happened, this is what's at risk, this is what to do next.
Related Terms
FAQs for Pass-the-Cookie
Protect What Matters
