How Stolen Session Tokens Bypass MFA

The Problem With "You're Already Verified"

Multi-factor authentication is one of the most effective security controls available. It stops the vast majority of automated account-compromise attacks dead in their tracks. But a growing class of attack doesn't try to break MFA at all — it waits until after you've already passed it, then takes over from there.

To understand why this works, you need to understand the mechanism websites use to keep you logged in: the session token.

What Is a Session Token?

Every time you log into a website — password entered, MFA code verified — the server needs a way to remember that you've been authenticated. It can't ask you to prove your identity on every single page load; that would make the web unusable. So instead, it issues your browser a session token: a long, randomly generated string stored as a cookie.

Think of it as a festival wristband. You showed ID and a ticket at the gate (your credentials and MFA). The wristband proves you're authorised to be inside without you having to show ID every time you buy a drink. Your browser silently presents this wristband — the cookie — with every subsequent request to the site. The server checks that the wristband is valid, and if it is, it grants access. No further verification required.

Session tokens are deliberately designed to be a trusted proof of identity. That is exactly what makes them so valuable to attackers.

The Attack: Pass-the-Cookie

If an attacker can obtain a valid, active session token, they can inject it into their own browser. From the server's perspective, every request now looks identical to a request from you — same token, same apparent identity. The MFA check already happened. It will not happen again.

This technique is known as pass-the-cookie or session hijacking. The attacker never encounters a password prompt. They never see a MFA challenge. They simply present your wristband and walk straight in.

How Attackers Steal Session Tokens

There are three primary methods attackers use to harvest session tokens.

Infostealer malware is the most widespread. Strains like Redline, Raccoon, Lumma Stealer, and Vidar are designed specifically to locate and exfiltrate the browser's local cookie store — the file on your hard drive where Chrome, Firefox, and Edge save session tokens. The malware runs silently in the background, copies every saved cookie from every website, and transmits the haul to an attacker-controlled server. These stolen cookie packages are then sold in bulk on dark web markets, where buyers can import them directly into their own browsers and step into live, authenticated sessions. This is a significant reason why high-profile account takeovers happen even on MFA-protected accounts.

Malicious browser extensions present a subtler risk. A browser extension runs with elevated privileges inside your browser and can read cookies for any site you visit. A malicious extension — disguised as a productivity tool, a theme, or a PDF converter — can silently read your session cookies and forward them to a remote server. Because the extension operates inside the browser, it bypasses most endpoint security tools that monitor network traffic at the OS level.

Adversary-in-the-Middle (AiTM) phishing kits take a different approach. Tools like Evilginx act as a transparent proxy between you and the real website. You visit what looks like the legitimate login page. The kit forwards your credentials and MFA code to the real site in real time, receives the authenticated session token on your behalf, and captures it before relaying it back to your browser. You complete the login successfully and suspect nothing — but the attacker now has your session token. Microsoft's 2023 research identified AiTM phishing as the technique behind a major wave of account compromises targeting Microsoft 365 customers.

• Infostealer malware — reads the browser's local cookie store directly from disk; no network interception required
• Malicious extensions — run inside the browser with cookie-read permissions; difficult to detect
• AiTM phishing kits — proxy the real login in real time, capturing the post-MFA session token live

Why This Matters More Than Ever

The infostealer market has matured significantly. Malware-as-a-Service platforms sell subscription access to stealer builds for as little as $100–$200 per month, with automated dashboards for sorting and replaying stolen credentials and cookies. Stolen session tokens for corporate email, banking portals, and cryptocurrency exchanges are traded openly. The barrier to executing this class of attack is low and falling.

For individuals, the most common infection vectors are pirated software, malicious ads serving fake software downloads, and phishing emails with malware-laced attachments. You do not need to do anything obviously reckless — a single compromised download is sufficient.

What Actually Protects You

Hardware security keys (FIDO2 / passkeys) provide the strongest available defence. Unlike TOTP codes, a hardware key's authentication is cryptographically bound to the specific browser session and the exact domain. Certain implementations require the physical key to be present for re-authentication under conditions that flag session anomalies. A stolen cookie from one device cannot simply be replayed from a different machine without triggering re-authentication — the stolen wristband alone is not enough. If you manage high-value accounts, a hardware key is worth the investment.

Device hygiene is the most broadly applicable protection. Infostealers need to run on your machine to steal your cookies. Keeping your operating system and browser updated, avoiding pirated software, and using reputable security software significantly reduces the risk of infection in the first place.

Browser extension discipline matters more than most people realise. Treat extensions the same way you treat apps: only install them from publishers you trust, review what permissions they request, and remove any you no longer actively use. An extension you installed three years ago and forgot about is a silent, persistent risk.

Sign out of sessions you no longer need. Most platforms offer a "manage active sessions" or "sign out all other devices" option in account settings. Using it invalidates existing tokens, which limits the damage window if a token has already been stolen but not yet used.