A proof-of-concept (PoC) attack vector exploits two Azure authentication tokens from within a browser, giving threat actors persistent access to key cloud services, including Microsoft 365 applications.
What a clickbait title. It notably does not provide persistance beyond the length of the session they steal the auth for. So max of 90 days but only in an environment that allows the “keep me signed in” checkbox with the longest time allowance. Don’t be a dummy with your settings. No methods given to pivot directly to longer persistance, just some vague situational hypotheticals.
This is nothing new. The Varonis page linked to by this article is an educational proof of concept guide to how an attacker could leverage a number of things that have existed for a while, showing just how far an attacker can get if they manage to snag the session cookie for an authenticated Azure (or other cloud service) session.
It includes some example code for a cookie stealer chrome extension, PowerShell code for temporarily deploying said extension to a local Chrome install, links some tools, and provides instructions on how to pivot the session cookie into other info and the actual session and refresh tokens.
Is this attack unique to Microsoft entra ID? Can this not be used to steal auth cookies for any web app which uses such a mechanism?
Not at all, you’re absolutely right. In the Varonis article this clickbaity one references, they list out the corresponding session cookies for Google’s cloud platform and AWS as well.
