{"id":21969,"date":"2025-07-15T09:37:36","date_gmt":"2025-07-15T02:37:36","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=21969"},"modified":"2025-07-20T16:35:53","modified_gmt":"2025-07-20T09:35:53","slug":"cookie-bite-chrome-attack-steals-session","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/cookie-bite-chrome-attack-steals-session\/","title":{"rendered":"Chrome Users Beware: Cookie-Bite Technique Targets Your Session Cookies"},"content":{"rendered":"<p><span style=\"font-family: arial, helvetica, sans-serif\">In the context of increasingly sophisticated cybersecurity threats, a new attack technique called\u00a0<strong>Cookie-Bite<\/strong>\u00a0was discovered by security researchers and announced on April 2025. This technique exploits a Chrome browser extension to steal session cookies from Azure Entra ID, thereby bypassing multi-factor authentication (MFA) and maintaining access to cloud services like Microsoft 365, Outlook, and Teams.<\/span><\/p>\n<h2 id=\"heading-details\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">Details<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">MFA is designed to prevent unauthorized access, but attackers continuously develop techniques to bypass this security barrier. Cookie-Bite is a prime example, allowing attackers to\u00a0<strong>steal user identities<\/strong>\u00a0by hijacking session cookies, thus accessing cloud services without needing passwords or MFA.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">By using\u00a0<strong>malicious browser extensions<\/strong>\u00a0and automation scripts, attackers can extract and reuse authentication cookies to impersonate legitimate users. They can even mimic the victim&#8217;s operating system, browser, and network to\u00a0<strong>bypass Conditional Access Policies (CAP)<\/strong>, maintaining long-term access without detection.<\/span><\/p>\n<h3 id=\"heading-how-does-cookie-bite-work\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">How does Cookie-Bite work?<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Cookie-Bite is an attack that uses\u00a0<strong>a malicious Chrome extension<\/strong>\u00a0functioning as an\u00a0<strong>infostealer<\/strong>. This extension targets two critical types of cookies in Azure Entra ID\u2014Microsoft&#8217;s cloud-based identity and access management service:<\/span><\/p>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>ESTAUTH<\/strong>: This is a temporary session token that confirms the user has been authenticated and completed MFA. This cookie is valid throughout the browser session, up to 24 hours, and expires when the application or browser is closed.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>ESTSAUTHPERSISTENT<\/strong>: This is the persistent session cookie version, created when the user selects the &#8220;Stay signed in&#8221; option or when Azure applies the KMSI (Keep Me Signed In) policy. This cookie can last up to\u00a0<strong>90 days<\/strong>.<\/span><\/li>\n<\/ol>\n<h3 id=\"heading-steps-of-the-cookie-bite-attack\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">Steps of the Cookie-Bite Attack<\/span><\/h3>\n<h4><span style=\"font-family: arial, helvetica, sans-serif\"><strong>1. Monitor Login Events<\/strong>:<\/span><\/h4>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The malicious extension is programmed to monitor the victim&#8217;s login events by\u00a0<strong>listening for tab updates<\/strong>\u00a0related to Microsoft&#8217;s login URLs (such as\u00a0<strong><a class=\"autolinkedURL autolinkedURL-url\" href=\"http:\/\/login.microsoftonline.com\/\" target=\"_blank\" rel=\"noopener nofollow\">login.microsoftonline.com<\/a><\/strong>).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">When a login event is detected, the extension reads all cookies related to this domain.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4><span style=\"font-family: arial, helvetica, sans-serif\"><strong>2. Extract Cookies<\/strong>:<\/span><\/h4>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The extension filters and extracts the two target cookies (ESTAUTH and ESTSAUTHPERSISTENT).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The cookie data is packaged as JSON and sent to the attacker through a\u00a0<strong>Google Form<\/strong>, ensuring anonymity and making detection difficult.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4><span style=\"font-family: arial, helvetica, sans-serif\"><strong>3. Automate Extension Deployment<\/strong>:<\/span><\/h4>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">If the attacker has physical or remote access to the victim&#8217;s device, they can use a\u00a0<strong>PowerShell script<\/strong>\u00a0run through\u00a0<strong>Windows Task Scheduler<\/strong>\u00a0to automatically reinstall the malicious extension every time Chrome starts, exploiting the browser&#8217;s\u00a0<strong>Developer Mode<\/strong>.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">According to Varonis, after packaging the extension into a CRX file and testing it on VirusTotal,\u00a0<strong>no security vendors detected the extension as malicious<\/strong>, indicating a high level of sophistication and evasion capability.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4><strong style=\"font-family: arial, helvetica, sans-serif\">4. Inject Cookies and Bypass MFA<\/strong><span style=\"font-family: arial, helvetica, sans-serif\">:<\/span><\/h4>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The attacker uses legitimate tools like\u00a0<strong>Cookie-Editor<\/strong>\u00a0(another Chrome extension) to import the stolen cookies into their browser, associating them with the domain\u00a0<strong><a class=\"autolinkedURL autolinkedURL-url\" href=\"http:\/\/login.microsoftonline.com\/\" target=\"_blank\" rel=\"noopener nofollow\">login.microsoftonline.com<\/a><\/strong>. <\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/79c9e6e5-65d6-4b58-9019-f8437903669e-1750819338.webp\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-21970\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/79c9e6e5-65d6-4b58-9019-f8437903669e-1750819338.webp\" alt=\"79c9e6e5 65d6 4b58 9019 F8437903669e 1750819338\" width=\"899\" height=\"465\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/79c9e6e5-65d6-4b58-9019-f8437903669e-1750819338.webp 899w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/79c9e6e5-65d6-4b58-9019-f8437903669e-1750819338-700x362.webp 700w\" sizes=\"(max-width: 899px) 100vw, 899px\" \/><\/a><\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">After refreshing the page, Azure Entra ID considers the attacker&#8217;s session fully authenticated,\u00a0<\/span><strong style=\"font-family: arial, helvetica, sans-serif\">bypassing the MFA requirement<\/strong><span style=\"font-family: arial, helvetica, sans-serif\">\u00a0and granting access equivalent to the victim&#8217;s.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Further Exploitation<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">With access, the attacker can use tools like\u00a0<strong>Graph Explorer<\/strong>\u00a0to list users, roles, and devices in the organization.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">They can send messages, access chats on\u00a0<strong>Microsoft Teams<\/strong>, read or download emails from\u00a0<strong>Outlook Web<\/strong>, or even search for sensitive information like stored passwords in emails.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Advanced actions like\u00a0<strong>privilege escalation<\/strong>,\u00a0<strong>lateral movement<\/strong>, or\u00a0<strong>unauthorized app registration<\/strong>\u00a0can also be performed using tools like\u00a0<strong>TokenSmith<\/strong>,\u00a0<strong>ROADtools<\/strong>, or\u00a0<strong>AADInternals<\/strong>.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 id=\"heading-flexibility-of-cookie-bite\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">Flexibility of Cookie-Bite<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Although designed to target Microsoft&#8217;s cookies, this technique can be customized to steal cookies from other services like\u00a0<strong>Google Workspace<\/strong>,\u00a0<strong>Okta<\/strong>,\u00a0<strong>AWS<\/strong>, or even\u00a0<strong>GitHub<\/strong>. Here are some common target cookies:<\/span><\/p>\n<div class=\"hn-table\">\n<table>\n<thead>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Platform\/Service<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Target Cookie<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Purpose<\/strong><\/span><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Azure Entra ID<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">ESTSAUTH, ESTSAUTHPERSISTENT<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Access Office 365, Teams, Azure Portal<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Google Workspace\/Gmail<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">SAPISID, SSID, HSID, APISID, NID<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Long-term login (Gmail, Drive, etc.)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">AWS Management Console<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">aws-userInfo, aws-creds<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Maintain session on AWS Console<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Okta (SSO)<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">sid, DT, t<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Session management on Okta Portal<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">GitHub<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">user_session, dotcom_user<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Login session on\u00a0<strong><a class=\"autolinkedURL autolinkedURL-url\" href=\"http:\/\/github.com\/\" target=\"_blank\" rel=\"noopener nofollow\">GitHub.com<\/a><\/strong><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h3 id=\"heading-other-cookie-theft-methods\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">Other Cookie Theft Methods:<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Attackers use various techniques to steal authentication cookies, including:<\/span><\/p>\n<p id=\"heading-1-adversary-in-the-middle-aitm-attack\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">1.\u00a0<strong>Adversary-in-the-Middle (AITM) Attack:<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">AITM is an advanced phishing attack that uses reverse proxy tools like\u00a0<strong>Evilginx<\/strong>,\u00a0<strong>Modlishka<\/strong>, or\u00a0<strong>Muraena<\/strong>\u00a0to intercept information between the victim and the legitimate authentication service (such as Microsoft 365 or Google).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">When the victim logs in, the proxy records login information, MFA tokens, and session cookies, allowing the attacker to reuse them to bypass MFA without needing a password.<\/span><\/li>\n<\/ul>\n<p id=\"heading-2-browser-process-memory-dumping\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">2.\u00a0<strong>Browser Process Memory Dumping:<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Browsers like Chrome or Edge decrypt cookies in memory when a login session is active. Infostealers can inject code into the browser process (such as chrome.exe) to read this memory and extract cookies in plain text, bypassing the need to decrypt from disk.<\/span><\/li>\n<\/ul>\n<p id=\"heading-3-malicious-browser-extensions\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">3.\u00a0<strong>Malicious Browser Extensions:<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Malicious extensions, like in the case of Cookie-Bite, are installed under the guise of legitimate tools but request excessive permissions. They can:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Access the browser&#8217;s storage API.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Intercept network requests.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Inject JavaScript code to steal session cookies in real-time.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">This technique is hard to detect because it doesn&#8217;t require injecting code into the system or decrypting the disk, and the stolen data is sent directly to the attacker&#8217;s server.<\/span><\/li>\n<\/ul>\n<p id=\"heading-4decrypting-locally-stored-cookies\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">4. <strong>Decrypting Locally Stored Cookies:<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Browsers store cookies in an encrypted SQLite database. For example:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">On Windows: %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies (encrypted with DPAPI).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">On macOS: \/Library\/Application Support\/Google\/Chrome\/Default\/Cookies (protected by TCC).<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">An attacker needs to:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Access the cookie database and the encryption key (e.g., the AES key in the Local State file on Windows).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Decrypt the AES key using DPAPI or steal the\u00a0<strong>DPAPI Master Key<\/strong>\u00a0from C:\\Users\\&#8230;\\AppData\\Roaming\\Microsoft\\Protect.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">DPAPI ties encryption to the user profile and machine, so attackers often have to decrypt on the victim&#8217;s device.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Stolen cookies are often valued based on their exploit potential. For example, cookies from enterprise accounts (like Microsoft 365, Google Workspace) are more valuable than social media accounts because they allow attackers to access sensitive data, escalate privileges, or move laterally across the entire enterprise network.<\/span><\/p>\n<h2 id=\"heading-recommendations\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">Recommendations<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">To mitigate the risk from Cookie-Bite and similar attacks, organizations need to implement comprehensive security measures focusing on identity management, monitoring, and browser extension control. Here are in-depth recommendations:<\/span><\/p>\n<h3 id=\"heading-1monitoring-and-detecting-anomalies\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">1. Monitoring and Detecting Anomalies<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Monitor Unusual Logins<\/strong>: Microsoft flagged logins in Varonis&#8217;s test as &#8220;atRisk&#8221; due to VPN use (risk type: anonymizedIPAddress). Organizations should enable tools like\u00a0<strong>Microsoft Defender for Cloud Apps<\/strong>\u00a0or\u00a0<strong>Azure Monitor<\/strong>\u00a0to detect unusual login behaviors, such as:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Logins from unfamiliar geographic locations.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Logins from new devices or browsers.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Multiple logins in a short time from different IPs.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Log Analysis<\/strong>: Use\u00a0<strong>Azure Sentinel<\/strong>\u00a0or SIEM solutions to analyze login logs and access cookies, helping to detect suspicious activities early. For example, detecting two successful logins with the same Session ID from different locations or browsers in a short time.<\/span><\/li>\n<\/ul>\n<h3 id=\"heading-2-apply-conditional-access-policies-cap\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">2. Apply Conditional Access Policies (CAP)<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Restrict Login Scope<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Set up CAP to only allow logins from\u00a0<strong>trusted IP ranges<\/strong>\u00a0(e.g., internal networks or company VPN).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Require devices to be managed by\u00a0<strong>Microsoft Intune<\/strong>\u00a0and comply with security standards (such as encryption, OS updates).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Disable the &#8220;Stay signed in&#8221; option<\/strong>: Disable the KMSI policy to prevent the creation of the ESTSAUTHPERSISTENT cookie, reducing the session cookie&#8217;s validity period.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Token protection<\/strong>: Combine CAP with\u00a0<strong>Token Protection<\/strong>\u00a0to ensure tokens are only used on valid devices.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 id=\"heading-3-strictly-manage-chrome-extensions\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">3. Strictly manage Chrome extensions<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Apply Chrome ADMX policies<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Only allow installation of\u00a0<strong>pre-approved extensions<\/strong>\u00a0from the Chrome Web Store or an internal list.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Block users from installing extensions from unknown sources.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Disable Developer Mode<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Use Group Policy or administrative tools to completely disable\u00a0<strong>Developer Mode<\/strong>\u00a0on Chrome, preventing the installation of unsigned extensions.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Monitor extensions<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Use solutions like\u00a0<strong>Google Workspace Admin<\/strong>\u00a0or\u00a0<strong>endpoint security tools<\/strong>\u00a0to check and monitor extensions installed on employee devices.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 id=\"heading-4-enhance-device-security\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">4. Enhance device security<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Deploy EDR (Endpoint Detection and Response)<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Use solutions like\u00a0<strong>CrowdStrike<\/strong>,\u00a0<strong>Microsoft Defender for Endpoint<\/strong>, or\u00a0<strong>SentinelOne<\/strong>\u00a0to detect and block malicious activities, including running suspicious PowerShell scripts.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Control device access rights<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Apply the\u00a0<strong>principle of least privilege<\/strong>\u00a0to limit user permissions on devices, reducing the risk of attackers deploying scripts or installing malicious extensions.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 id=\"heading-5-raise-awareness-and-training\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">5. Raise Awareness and Training<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Employee Training<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Conduct regular training sessions on cybersecurity, emphasizing the risks of installing unknown extensions or clicking on malicious links.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Guide employees on how to check and report suspicious extensions.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Enhance Alerts<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Provide tools like\u00a0<strong>browser extension scanners<\/strong>\u00a0for employees to check installed extensions themselves.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 id=\"heading-6-regularly-review-and-update\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">6. Regularly Review and Update<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Security Configuration Checks<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Regularly assess CAP policies, extension management, and MFA configurations to ensure they remain effective against new threats.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Software Updates<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Ensure Chrome and other software are always updated to the latest versions to patch security vulnerabilities.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2 id=\"heading-references\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">References<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.varonis.com\/blog\/cookie-bite\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Cookie-Bite: How Your Digital Crumbs Let Threat Actors Bypass MFA and Maintain Access to Cloud Environments<\/strong><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cookie-bite-attack-poc-uses-chrome-extension-to-steal-session-tokens\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Cookie-Bite attack PoC uses Chrome extension to steal session tokens<\/strong><\/a><\/span><\/p>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><strong>Exclusive article by FPT IS Technology Experts<\/strong>&nbsp;<\/p>\n<p><em>Nguyen Van Trung \u2013 FPT IS Cyber Security Center<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n","protected":false},"author":21,"featured_media":21972,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[882,789],"dich_vu":[858,712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-21969","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-data-ai-insights","danh_muc_goc_nhin_so-expert-sharing","dich_vu-private-sector-news","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/21969","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/21972"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=21969"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=21969"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=21969"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=21969"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=21969"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=21969"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=21969"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=21969"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}