Cookie Bite Exposes MFA Achilles Heel

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, a Cookie Bite attack bypasses MFA in Azure Entra ID, Microsoft fixed RDP Freezes, a ransomware attack in Catalonia, Blue Shield exposed data to Google, a cyberattack disrupted city systems in Texas, a South Korean telecom breach exposed USIM data and a warning about North Korean IT deepfakes.

See Also: Top 10 Technical Predictions for 2025

Varonis Threat Labs researchers outlined an attack technique it dubs “Cookie-Bite” exploiting persistent authentication cookies bypass multifactor authentication protections in the Azure cloud.

Azure’s Entra ID identity and access management service sets cookies named ESTSAUTH and ESTSAUTHPERSISTENT. The attack envisioned by Varonis would grant persistent access to Microsoft 365 services like Outlook and Teams, allowing attackers to perform reconnaissance, escalate privileges and move laterally within organizations.

The proof-of-concept posits a malicious Chrome extension and PowerShell script to steal session cookies each time a user logs into Microsoft’s authentication portal. These cookies, which authenticate a user and validate MFA status, act as “keys to the kingdom” for attackers – and the approach avoids traditional malware or system changes, making detection difficult.

Although the technique doesn’t exploit a new vulnerability, it shows how session hijacking can enable long-term cloud access. Varonis recommends mitigations such as using Microsoft Risk detection tools and enforcing Chrome extension allow lists via ADMX policies – steps many organizations overlook.

Microsoft resolved remote desktop session freezes on Windows Server 2025 and Windows 11 24H2 with the April Patch Tuesday update. The bug, introduced in February’s KB5051987, caused RDP sessions to become unresponsive. Fixes were deployed in KB5052093 for Windows 11 and KB5055523 for Server. The April update introduced new problems: some users now face Windows Hello login failures and domain controllers running Windows Server 2025 may become unreachable after reboot, disrupting services. A separate long-standing issue causing blue screens on systems with over 256 logical processors was also resolved in November 2024’s KB5046617 update.

A Catalonian coastal town roughly an hour north of Barcelona informed inhabitants of an apparent April 21 ransomware attack involving the theft of data such as names, birth dates, banking information and housing ownership status. The Mataró Water Utility Company said hackers encrypted servers on Monday – but that the incident has not affected the water delivery.

Blue Shield of California reported to federal regulators that 4.7 million individuals are affected by a breach involving the company’s previous use of online tracking tools in the company’s websites.

Blue Shield in early April said it discovered in February that the company had shared health plan members’ protected health information for nearly three years with Google for advertising purposes because of the way Google Analytics online tracking tools were configured on the insurer’s websites (see: Blue Shield Web Trackers Shared Member PHI to Google Ads).

As of Wednesday, California Physicians’ Service, which does business as Blue Shield of California, faced at least five proposed federal class action lawsuits filed in recent weeks involving the online tracking incident.

That includes a complaint filed Tuesday that alleges Blue Shield violated the Electronic Communications Privacy Act whenever individuals interacted with Blue Shield’s websites and embedded code redirected the contents of those communications to third-parties, including Google.

The lawsuit seeks financial damages as well as injunctive relief, including prohibiting Blue Shield from making any further disclosures of plaintiff or class members’ communications to third parties without their authorization.

Abilene, Texas, shut down key systems on Friday, after a cyberattack caused internal server issues. City officials activated their incident response plan, disconnected critical assets and brought in cybersecurity experts. Emergency services remain operational but some systems are still offline. No financial irregularities were detected. Utility shutoffs for late payments are paused. The city is working on full recovery.

SK Telecom, South Korea’s largest mobile operator, detected a malware attack on Saturday that exposed sensitive subscriber identity modules related data. The company removed the malware, isolated compromised systems and reported the incident to regulators. While no misuse of the leaked data has been confirmed, exposed USIM info – including IMSI, MSISDN and authentication keys – could be exploited for surveillance or SIM-swap attacks. In response, SK Telecom has enhanced monitoring, blocked suspicious SIM swaps and urged users to enable USIM protection.

North Korean operatives are using real-time deepfake technology to obtain remote IT positions in international companies, warned Palo Alto Networks’ Unit 42. With just minimal experience and affordable tools, individuals can create convincing synthetic identities in little more than an hour.

North Korean operatives employ deepfakes during video interviews, often using identical virtual backgrounds across different fabricated personas. Once embedded, they can exfiltrate sensitive data, deploy unauthorized tools and even insert malicious code into software repositories.

Palo Alto recommended companies enhance hiring and security measures. Recommendations include implementing multi-layered identity verification, monitoring for anomalies during the employee lifecycle and educating HR teams about emerging threats. As deepfake technology becomes increasingly sophisticated, organizations should remain vigilant.

Other Stories from Last Week

With reporting from Information Security Media Group’s Akshaya Asokan in southern England, Marianne Kolbasuk McGee in the Boston exurbs and David Perera in Northern Virginia.