AshetraceGet assessment
A web browser session and network traffic on a dark monitor, the layer where session cookies are issued, stolen and replayed.

Threat Intelligence

Stolen session cookies: how attackers bypass MFA and how to revoke access

Session cookie theft is the reuse of a stolen, already-authenticated session token to impersonate a user without their password or a second factor. Infostealer malware lifts the cookie from the browser, and a buyer replays it to log in as the victim. Because the session is already trusted, the attacker skips both the password and the MFA prompt. SpyCloud recaptured 17.3 billion stolen session cookies from infected devices in 2024.

Key takeaways
  • SpyCloud recaptured 17.3 billion stolen session cookies from malware-infected devices in 2024, an average of 1,861 cookies per infection (SpyCloud 2025).
  • 276 million credentials indexed in 2025 carried an active session cookie, 31% of all malware-sourced credentials (Recorded Future).
  • A replayed cookie reuses an already-authenticated session, so it bypasses both the password and the MFA prompt entirely.
  • A password reset does not end a live session. The stolen token stays valid until it expires or is explicitly revoked (Microsoft Entra docs).
  • Stolen credentials surface fast: 36.4% appear within 24 hours of theft and 52.9% within a week (Recorded Future).

A session cookie, also called a session token, is the small piece of data a server hands your browser after you sign in, so it recognizes you on every later request without re-checking your password. That makes it a bearer credential: whoever holds the token is treated as the logged-in user. Steal it, and you inherit the session. Recorded Future found 276 million credentials indexed in 2025 came bundled with an active session cookie (Recorded Future).

The key property is that the token stands in for the whole authentication ceremony. The password check, the MFA prompt and any passkey step all happen once, at login. After that, the session token is the proof, and it's what the browser sends on every request. An attacker who replays it never faces the checks the user already passed.

  • Session cookies: browser tokens that keep a web app signed in until they expire or are revoked.
  • OAuth refresh tokens: long-lived tokens that silently mint new access tokens without another login.
  • SSO and SAML assertions: single-sign-on artifacts that open many linked apps at once.
  • Access tokens (JWTs): short-lived bearer tokens, often valid for about an hour by default (Microsoft Entra docs).

How do infostealers steal session cookies?

Infostealers read the browser's own cookie store and copy it wholesale. Once a device is infected, the malware decrypts the cookie database, scrapes saved logins and autofill, and ships the bundle to the operator in seconds. SpyCloud measured an average of 1,861 cookies harvested per infection in 2024 (SpyCloud). One sweep of one browser can expose hundreds of active sessions.

The result is a stealer log: a snapshot of one device holding cookies for email, SSO, cloud consoles and internal apps, each paired with the URL it belongs to. A buyer doesn't need to guess where a cookie works, because the log says so. As SpyCloud puts it, session hijacking lets an attacker impersonate legitimate users without the need for credentials, MFA, or passkeys (SpyCloud).

Session cookies inside the stolen-credential pool
Malware-sourced credentials carrying an active session cookie 31% Credentials with cookies indexed in 2025 276M Average stolen credentials per infected device 87
Share and volume of malware-sourced credentials that carried an active session cookie in 2025. Source: Recorded Future.

About 31% of malware-stolen credentials in 2025 shipped with a session cookie ready to replay (Recorded Future). MFA guards the login event, not the session that follows it. When an attacker imports a stolen cookie into their own browser, the app sees a session that already cleared authentication, so it never asks for a password or a second factor. Recorded Future describes session hijacking as an attack that skips the login process altogether (Recorded Future). The control fired once, and the token outlived it.

Concretely, cookie replay runs in four steps, and none of them touch the MFA prompt the user already answered:

  • The victim signs in normally, clears MFA, and the app issues a session cookie to the browser.
  • An infostealer on the device copies that cookie and exfiltrates it inside a stealer log.
  • A buyer imports the cookie into their own browser or an anti-detect tool matched to the victim's fingerprint.
  • The app validates the session and grants access. No password, no MFA prompt, no anomaly at the login form.

Why doesn't a password reset kill a stolen session?

SpyCloud recaptured 17.3 billion stolen cookies in 2024, and a reset touches none of them (SpyCloud). Because the password and the session token are two separate credentials with separate lifetimes. Resetting the password invalidates a secret the attacker may not even be using, while the stolen cookie keeps working until it expires or is explicitly revoked. Microsoft's own guidance is blunt: to end a session you must revoke the token, and for app-issued session tokens the application, not the identity provider, has to do it (Microsoft Entra docs).

This is the gap most incident playbooks leave open. A team detects a compromised account, forces a password change, and calls it contained, while the replayed session quietly stays live. Containment means killing the active session, not only rotating the secret behind it. The stolen token is the credential in use.

Why a password reset alone leaves the attacker in
Response action Password reset Password credential Invalidated Stolen session token Still valid Attacker Keeps access
A reset rotates the password, but the stolen session token stays valid until it is revoked. Source: Microsoft Entra docs.

How do you actually revoke a stolen session?

On Microsoft Entra, an access token can stay valid for up to 1 hour unless you revoke it (Microsoft). You revoke the session itself, then force the next request to reauthenticate. In Microsoft Entra that means blocking sign-in and calling revoke on the user's sessions, which invalidates the refresh tokens so no new access tokens can be minted (Microsoft Entra docs). Because a default access token can live for about an hour, revocation alone still leaves a short window unless you also enforce continuous evaluation.

  • Invalidate sessions: revoke refresh tokens and sign-in sessions for the user, not just the password.
  • Rotate what the token reaches: reset the password and any API keys or app secrets the session could reach.
  • Force reauthentication: apply conditional access so the next request must re-prove identity with phishing-resistant MFA.
  • Close the token window: enable Continuous Access Evaluation (CAE) so revocation lands in near real time, not after the token expires (Microsoft Entra docs).
  • Revoke at the app too: app-issued session tokens must be killed by the app, since the identity provider can't revoke them for you.

One more shift matters: shorten session lifetimes and bind tokens to a device or client where you can. A stolen cookie is only useful while it's valid, so the smaller the window and the tighter the binding, the less a replayed token buys an attacker.

How do you detect stolen session cookies before they're replayed?

You watch the criminal supply of stealer logs for your domains, because the theft happens on devices your controls never see. Stolen credentials move fast once indexed: Recorded Future found 36.4% surface within 24 hours of exfiltration and 52.9% within a week (Recorded Future). Waiting for a suspicious login means reacting after the replay, not before it.

36.4%Of stolen credentials surface within 24 hours of exfiltration (Recorded Future)
11 daysGlobal median attacker dwell time in 2024 (Mandiant M-Trends 2025)
22%Of breaches used stolen credentials as the top initial access action (Verizon 2025 DBIR)

This is post-compromise exposure monitoring, and it's the model Ashetrace is built around: find every exposed identity and session tied to a domain you control, confirm what is still live, and hand your team an auditable list to revoke. You verify a domain you own, and no passwords, cookies or tokens ever change hands. The useful question isn't whether your users' cookies leak, it's how fast you cut the live sessions once they do.

Frequently asked

What is session cookie theft?

Session cookie theft is when malware copies the authenticated session token from a browser so an attacker can replay it and impersonate the user. Because the session already passed login, the attacker skips the password and MFA. SpyCloud recaptured 17.3 billion stolen cookies from infected devices in 2024.

Can stolen session cookies bypass MFA?

Yes. MFA gates the login event, not the session that follows, so a replayed cookie reuses an already-authenticated session and never triggers a prompt. Recorded Future found 276 million credentials indexed in 2025 carried an active session cookie, 31% of all malware-sourced credentials, each a ready-made MFA bypass.

Why doesn't a password reset stop a hijacked session?

A reset invalidates the password, but the stolen session token is a separate credential that stays valid until it expires or is explicitly revoked. Microsoft's Entra guidance says you must revoke the session, and app-issued tokens must be killed by the app itself, not just by rotating the password.

How do you revoke a stolen session cookie?

Block sign-in, revoke the user's refresh tokens and sessions, then force reauthentication with conditional access. Enable Continuous Access Evaluation so revocation lands in near real time, since a default access token can stay valid for about an hour. App-issued session tokens must be revoked at the application (Microsoft Entra docs).

How fast do attackers use stolen cookies?

Fast enough that speed of detection decides the outcome. Recorded Future found 36.4% of stolen credentials surface within 24 hours of exfiltration and 52.9% within a week. With a median attacker dwell time of 11 days (Mandiant M-Trends 2025), early exposure monitoring closes the gap before replay.

Sources
  1. SpyCloud, 2025 Annual Identity Exposure Report (2025)
  2. Recorded Future, 2025 Identity Threat Landscape Report (2025)
  3. Recorded Future, Session Hijacking and MFA Bypass
  4. Microsoft, Revoke user access in an emergency in Microsoft Entra ID (2026)
  5. Mandiant (Google), M-Trends 2025 (2025)
  6. Verizon, 2025 Data Breach Investigations Report (DBIR) (2025)
Share

Start here

See what is still exposed in your environment

Verify a corporate domain and get a scoped exposure assessment. No passwords, cookies or tokens handed over.

Request an exposure assessment