What Is Pass-the-Cookie?

Written by: Brenda Buckman

Published: 3/18/2026

Summarize This Page

On This Page

Pass-the-cookie is a session hijacking attack where adversaries steal authenticated browser cookies to impersonate a user—bypassing multi-factor authentication entirely. The password is irrelevant. The cookie is the key.

MFA is supposed to be the safety net. You enabled it. You made your team use it. And yet, your Microsoft 365 account still got breached.

This is the reality of pass-the-cookie attacks. They don't break your MFA. They skip it.

When you authenticate to a cloud app like Microsoft 365 or Google Workspace, your browser stores a session cookie—the cookietells the application "this person already proved who they are." It's what keeps you from having to log in every 30 seconds. Pass-the-cookie attacks steal that cookie and replay it in the attacker's browser. The application sees a valid, authenticated session and lets them right in. No password required. No MFA prompt. No warning.

It's not a new concept, but it's become one of the most effective techniques adversaries use against businesses today, specifically because so much of work now lives inside cloud applications, and so many businesses have invested in MFA, thinking it closed the door.

It didn't. Not completely.

Key Takeaways

Session cookies — not passwords — are what attackers are after, because stealing one grants full access to Microsoft 365, Google Workspace, and connected SaaS apps without triggering MFA
The three-stage attack chain moves from cookie theft to silent replay to rapid escalation, with BEC fraud often following within hours of initial access
Microsoft Entra ID sign-in logs hold the most critical detection signals, including impossible travel, anonymous proxy logins, and inbox rule modifications made immediately after access
Defense requires a combination of continuous access evaluation, phishing-resistant MFA, shorter session lifespans, and a SOC that can correlate signals and revoke sessions fast

The attack has three stages, and the third one is where the real damage happens.

Stage 1: Cookie theft

Attackers get the session cookie through one of three main methods:

Infostealer malware—tools like Raccoon Stealer, RedLine, Lumma, and Vidar are designed specifically to scrape stored credentials and session cookies from browsers like Chrome, Edge, and Firefox. One phishing email, one malicious download, one compromised website—and every authenticated session on that machine is exposed.
Adversary-in-the-middle (AiTM) phishing—attackers set up a reverse proxy that sits between the victim and the real login page. The user goes through a normal-looking authentication flow (including MFA), but the proxy captures the session cookie in real time. Tools like Evilginx make this shockingly accessible to adversaries who aren't particularly sophisticated.
Cross-site scripting (XSS)—less common in modern SaaS attacks, but vulnerabilities in web apps can let attackers run scripts that extract cookie values from a user's active session.

Stage 2: Cookie replay

The attacker imports the stolen cookie into their own browser using developer tools or browser extensions. Done. That's it. Their browser now looks like the victim's authenticated session to every cloud application that trusts that cookie.

Stage 3: Access and escalation

Now they're in. From here, they can:

Read email and set up forwarding rules to exfiltrate ongoing correspondence
Search for finance-related threads to set up business email compromise (BEC) fraud
Access SharePoint or OneDrive to steal sensitive documents
Create new accounts or modify permissions to maintain persistent access
Use the compromised identity as a launchpad into connected systems

The average time from initial access to sending a fraudulent wire transfer request in a BEC attack is measured in hours. By the time your team spots something unusual, the damage may already be done.

This isn't a niche, highly technical attack. It's a mainstream technique that adversaries use precisely because it works against the security controls most businesses have already deployed.

Consider what you're up against:

MFA is table stakes—and attackers know it. Most organizations have rolled out MFA. Adversaries responded by shifting their focus from stealing passwords to stealing sessions. They didn't break MFA; they just moved one step downstream.

Infostealer malware is cheap and commoditized. You don't need to be a nation-state actor to deploy a cookie-stealing infostealer. Malware-as-a-service offerings make these tools available to anyone willing to pay a monthly subscription. The Huntress 2026 Cyber Threat Report found infostealer activity among the most common malware categories observed across managed environments.

Cloud apps make stolen sessions more valuable. Ten years ago, stealing a session cookie might have gotten you into a single web application. Today, a valid Microsoft 365 session can open email, Teams, SharePoint, OneDrive, Azure AD, and every connected SaaS integration—in one shot.

Many applications issue tokens that can remain valid for days or longer, especially when refresh tokens are in play. If you don't actively monitor for session anomalies, a stolen cookie can provide persistent, undetected access long after the initial theft.

What attackers target

Any SaaS application using cookie-based session authentication is in scope. In practice, the highest-value targets are:

Application	Why it's targeted
Microsoft 365	Email, Teams, SharePoint, OneDrive, Azure AD—the keys to the kingdom for most organizations
Google Workspace	Gmail + Drive access; often connected to dozens of third-party SaaS tools
Salesforce	Customer data, deal flow, and often a bridge to finance/legal communications
HR and payroll systems	Direct path to fraudulent direct-deposit changes
VPN and remote access portals	Can open the door to internal network access

For organizations running Microsoft 365, this is your highest-risk surface. Microsoft Entra ID sign-in logs are your first line of visibility—if you're not monitoring them, you're flying blind.

The cookie is stolen silently. The replay, though, leaves tracks—if you know what to look for.

Watch for these signals in your identity provider and SIEM logs:

New device or user agent strings on an established account: a session originating from a browser fingerprint that doesn't match the user's known devices.
Sign-in from unfamiliar IP rangesor anonymous proxies: attackers often route replayed sessions through VPNs or residential proxies to avoid geolocation blocks.
Inbox rule creation immediately after login: a common post-access move; attackers set forwarding rules to route emails to an external address.
Risky sign-in alerts: Microsoft Entra ID and similar platforms flag anomalous sessions; don't ignore these.
MFA success with no corresponding device authentication: successful sign‑ins that don’t match the user’s usual device posture or compliant device list

The challenge is connecting these dots fast enough. Individual signals are easy to miss; correlation across identity, endpoint, and email logs is where detection becomes reliable. This is exactly the kind of multi-source investigation where having a 24/7 security operations center (SOC) reviewing your environment pays off.

No single control stops this. Defense-in-depth is the honest answer.

Reduce the attack surface:

Enable continuous access evaluation (CAE) in Microsoft Entra ID to shorten session token lifespans and enforce real-time revocation
Require compliant, managed devices for access to sensitive applications—unmanaged personal devices are the most common vector for infostealer infections
Use phishing-resistant MFA methods (hardware security keys, passkeys) instead of SMS or authenticator app codes; while pass-the-cookie bypasses MFA entirely, phishing-resistant methods reduce the AiTM attack surface upstream

Detect and contain faster:

Monitor identity provider sign-in logs continuously—not just for failed logins, but for anomalous successful ones
Configure alert rules for impossible travel, new device sign-ins, and inbox rule modifications
Build a response runbook that includes session revocation as a first step, any time account compromise is suspected

Reduce the impact of a stolen cookie:

Enforce session token lifespans appropriate to your risk tolerance—shorter sessions mean a smaller window of exploitation
Use application-level access controls or the principle of least privilege so that even a valid session can't access everything without additional authorization
Train your team to recognize phishing lures; AiTM proxies depend on users entering credentials on lookalike login pages

How Huntress helps

Pass-the-cookie attacks don't announce themselves. They look like legitimate sign-ins because, technically, they are—just from someone who isn't who they claim to be.

Huntress Managed ITDR monitors Microsoft 365 environments for exactly these patterns—flagging anomalous sessions, suspicious inbox rules, unusual sign-in behavior, and other identity-based indicators of compromise that point to a stolen session before the breach escalates into a business email compromise fraud, a data leak, or a ransomware deployment.

And when something fires, our SOC analysts investigate. You don't get an alert and a shrug. You get a clear answer: this is what happened, this is what's at risk, this is what to do next.

See how Huntress Managed ITDR works

Read the Huntress Cyber Threat Report

Related Terms

What is an Adversary-in-the-Middle (AiTM) Attack?

Learn how AiTM attacks bypass MFA by stealing session cookies through proxy servers. Learn detection methods and defense strategies for this evolving threat.

What Is Session Hijacking? The Silent Threat: Bypassing MFA

Session hijacking allows attackers to bypass MFA by stealing session tokens. Learn how AitM attacks work and how to detect them before damage occurs

What Is Identity Resilience? A Security Explainer

Learn what identity resilience is, why it's critical for security, and how to build a strategy that survives a credential-based attack.

What is a Session in Cybersecurity? Explained

Cookie Logging Explained for Cybersecurity Pros & Cybersecurity Beginners

What is Quishing?

What exactly is a Token in Computers?

What Is Pass the Hash (PtH) and How Does It Work?

What is Address Space Layout Randomization (ASLR)? A Guide

FAQs for Pass-the-Cookie

Pass-the-cookie is a session hijacking attack where an adversary steals an authenticated browser session cookie and uses it to access cloud applications as if they were the legitimate user—without needing a password or completing multi-factor authentication (MFA).

When you log in with MFA, your browser stores a session cookie that confirms authentication has already happened. Pass-the-cookie attacks steal that post-authentication cookie, so the attacker's browser presents it as already-verified. The application sees a valid session—no MFA prompt needed.

Pass-the-hash targets on-premises Windows environments by stealing NTLM password hashes to authenticate to internal systems. Pass-the-cookie targets cloud and SaaS applications by stealing web session tokens to hijack already-authenticated browser sessions.

Any SaaS application that uses cookie-based session authentication is at risk—most notably Microsoft 365, Google Workspace, Salesforce, and other web-based tools your team uses daily. Microsoft 365 is the most common target because of its widespread use and the value of email access for follow-on attacks like business email compromise.

The three most common methods are: infostealer malware (like Raccoon Stealer, RedLine, or Lumma) that harvests cookies directly from the browser; adversary-in-the-middle (AiTM) phishing proxies that intercept the session in real time; and cross-site scripting (XSS) vulnerabilities that let attackers execute scripts to extract cookie values.

They help, but they're not foolproof. Conditional access policies that enforce device compliance or IP-based restrictions can flag suspicious sessions. However, attackers increasingly use residential proxies or compromised machines that already meet compliance criteria to evade these controls.

Look for sign-in events from unusual geolocations or IP addresses, impossible travel (two logins from geographically distant locations within minutes), session activity that doesn't match the user's normal hours, and risky sign-in alerts in your identity provider. SIEM log correlation is essential for catching these patterns.

Revoke all active sessions for the affected account immediately through your identity provider (Microsoft Entra ID, Okta, etc.). Reset the user's credentials, investigate inbox rules and forwarding that may have been set, check for data exfiltration, and run an endpoint investigation to find the source of the infostealer if malware was involved.

Pass-the-cookie is a specific form of session hijacking. Session hijacking is the broader concept of taking over an authenticated session; pass-the-cookie is the method where a stolen cookie token is replayed in a different browser to impersonate the victim.

HTTPS protects cookies in transit—it prevents interception on the network. But pass-the-cookie attacks typically steal cookies after they're already stored on the device, using malware or phishing proxies. HTTPS doesn't protect against endpoint compromise or AiTM attacks.

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.

Start for Free

What Is Pass-the-Cookie?