T1550.004

Web Session Cookie

Adversaries steal and reuse valid web session cookies to authenticate to web applications and cloud services, effectively bypassing multi-factor authentication. Because session cookies represent a completed authentication event, they allow adversaries to impersonate users without knowing credentials or possessing their MFA device. Cookies are commonly obtained via adversary-in-the-middle (AiTM) phishing frameworks such as Evilginx2, Modlishka, or Muraena, which proxy the legitimate login flow and capture the post-MFA session token in real time. Once imported into an attacker-controlled browser or HTTP client, the stolen cookie grants full access to the victim's SaaS applications, cloud consoles, and email for the lifetime of the session. Star Blizzard (APT29 affiliate) has used this technique via EvilGinx to compromise email accounts protected by MFA.

Microsoft Sentinel / Defender

kusto

// T1550.004 — Web Session Cookie Theft: Impossible Travel + MFA-Bypass via Existing Session
let LookbackPeriod = 24h;
let ImpossibleTravelWindowMinutes = 60;
let SuspiciousSingleFactorApps = dynamic(["Microsoft 365", "Office 365", "Azure Portal", "Microsoft Teams", "SharePoint", "OneDrive", "Exchange Online", "Outlook"]);
// Step 1: Build baseline of successful sign-ins with location context
let Signins = SigninLogs
| where TimeGenerated > ago(LookbackPeriod)
| where ResultType == 0
| extend Country = tostring(LocationDetails.countryOrRegion)
| extend City = tostring(LocationDetails.city)
| extend State = tostring(LocationDetails.state)
| extend AuthMethod = tostring(parse_json(tostring(AuthenticationDetails))[0].authenticationMethod)
| extend AuthStepResult = tostring(parse_json(tostring(AuthenticationDetails))[0].authenticationStepResultDetail)
| extend IsCookieReuse = AuthStepResult has_any ("Previously satisfied", "Token broker")
| extend IsInteractiveSession = IsInteractive == true
| project TimeGenerated, UserPrincipalName, IPAddress, Country, City, State,
          AppDisplayName, ResourceDisplayName, AuthenticationRequirement, ConditionalAccessStatus,
          AuthMethod, AuthStepResult, IsCookieReuse, IsInteractiveSession,
          RiskLevelDuringSignIn, RiskLevelAggregated, TokenIssuerType, CorrelationId,
          DeviceDetail, ClientAppUsed;
// Step 2: Detect impossible travel — same user, different countries, within threshold
let ImpossibleTravel = Signins
| join kind=inner (
    Signins
    | project TimeGenerated2=TimeGenerated, UserPrincipalName, IPAddress2=IPAddress,
              Country2=Country, City2=City, CorrelationId2=CorrelationId,
              AppDisplayName2=AppDisplayName
) on UserPrincipalName
| where CorrelationId != CorrelationId2
| where TimeGenerated > TimeGenerated2
| where Country != Country2 and isnotempty(Country) and isnotempty(Country2)
| where datetime_diff('minute', TimeGenerated, TimeGenerated2) between (0 .. ImpossibleTravelWindowMinutes)
| extend DetectionType = "ImpossibleTravel"
| extend TimeDiffMinutes = datetime_diff('minute', TimeGenerated, TimeGenerated2)
| project TimeGenerated, UserPrincipalName, IPAddress, Country, City, AppDisplayName,
          AuthenticationRequirement, IsCookieReuse, RiskLevelDuringSignIn,
          PriorIPAddress=IPAddress2, PriorCountry=Country2, PriorApp=AppDisplayName2,
          PriorSignIn=TimeGenerated2, TimeDiffMinutes, DetectionType, CorrelationId;
// Step 3: Detect MFA bypass — single-factor auth on MFA-required app with cookie satisfaction
let MFABypassViaCookie = Signins
| where AuthenticationRequirement == "singleFactorAuthentication"
| where IsCookieReuse == true
| where AppDisplayName has_any (SuspiciousSingleFactorApps)
| extend DetectionType = "MFABypassCookieReuse"
| project TimeGenerated, UserPrincipalName, IPAddress, Country, City, AppDisplayName,
          AuthenticationRequirement, IsCookieReuse, AuthStepResult,
          RiskLevelDuringSignIn, ConditionalAccessStatus, CorrelationId, DetectionType;
// Step 4: Union both detection paths
ImpossibleTravel
| union MFABypassViaCookie
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Azure Active Directory: Sign-in Logs Azure AD: Authentication Details Microsoft Sentinel: SigninLogs table

Required Tables

SigninLogs

False Positives

Legitimate VPN use where user authenticates from one country then routes traffic through another country's VPN exit node
Corporate proxy or split-tunnel configurations that cause authentication events to appear from multiple geographic locations
Travel — a user who physically travels between countries, especially with short flights or near-border regions
Conditional Access policies that explicitly allow persistent browser sessions, generating 'Previously satisfied' MFA claims for legitimate users
Shared accounts or break-glass emergency accounts accessed from multiple locations by different administrators

Splunk

spl

| tstats count min(_time) as firstSeen max(_time) as lastSeen
    from datamodel=Authentication
    where Authentication.action=success
    by Authentication.user Authentication.src Authentication.app Authentication.dest _time span=1h
| `drop_dm_object_name("Authentication")`
| eval _time=firstSeen
| appendcols
    [search index=azure sourcetype="azure:aad:signin" ResultType=0
    | eval Country=mvindex(split('LocationDetails.countryOrRegion',""),0)
    | eval City=mvindex(split('LocationDetails.city',""),0)
    | eval AuthMethod=mvindex(AuthenticationDetails{}.authenticationMethod,0)
    | eval AuthStepResult=mvindex(AuthenticationDetails{}.authenticationStepResultDetail,0)
    | eval IsCookieReuse=if(match(AuthStepResult,"(?i)(previously satisfied|token broker|existing token)"),1,0)
    | eval IsRiskySignin=if(match(RiskLevelDuringSignIn,"(?i)(medium|high)"),1,0)
    | eval IsSingleFactor=if(AuthenticationRequirement="singleFactorAuthentication",1,0)
    | eval MFABypassCookie=if(IsCookieReuse=1 AND IsSingleFactor=1,1,0)
    | eval SuspiciousApp=if(match(AppDisplayName,"(?i)(microsoft 365|office 365|azure portal|teams|sharepoint|onedrive|exchange|outlook|azure active directory)"),1,0)
    | fields _time UserPrincipalName IPAddress Country City AppDisplayName AuthenticationRequirement
             AuthStepResult IsCookieReuse IsRiskySignin MFABypassCookie SuspiciousApp CorrelationId]
| where IsCookieReuse=1 OR IsRiskySignin=1
| stats count as SigninCount
        values(Country) as Countries
        values(IPAddress) as IPAddresses
        values(AppDisplayName) as Apps
        dc(Country) as UniqueCountries
        dc(IPAddress) as UniqueIPs
        max(MFABypassCookie) as MFABypass
        max(IsRiskySignin) as RiskySignin
        min(_time) as firstSeen
        max(_time) as lastSeen
    by UserPrincipalName
| eval ImpossibleTravel=if(UniqueCountries>1 AND (lastSeen-firstSeen)<3600,1,0)
| eval ThreatScore=MFABypass + ImpossibleTravel + RiskySignin
| where ThreatScore>0
| eval DetectionTypes=case(
    ImpossibleTravel=1 AND MFABypass=1, "ImpossibleTravel+MFABypass",
    ImpossibleTravel=1, "ImpossibleTravel",
    MFABypass=1, "MFABypassViaCookie",
    true(), "AnomalousSignin")
| table firstSeen lastSeen UserPrincipalName DetectionTypes ThreatScore UniqueCountries Countries UniqueIPs IPAddresses Apps MFABypass ImpossibleTravel RiskySignin SigninCount
| sort - ThreatScore lastSeen

high severity medium confidence

Data Sources

Azure Active Directory: Sign-in Logs Azure AD Authentication Details Microsoft Cloud Services Add-on for Splunk

Required Sourcetypes

azure:aad:signin

False Positives

VPN users whose authentication origin IP and browsing IP differ across countries
Users near national borders frequently crossing authentication geolocation boundaries
Shared service accounts or emergency access accounts accessed from multiple locations
Legitimate persistent session policies configured in Azure AD Conditional Access allowing long-lived tokens
Travel scenarios where users authenticate legitimately from multiple locations within a workday

IBM QRadar (AQL)

sql

-- Impossible Travel Detection
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS firstSeen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS lastSeen,
  username,
  'ImpossibleTravel' AS detectionType,
  COUNT(*) AS signinCount,
  LONG(MAX(starttime) - MIN(starttime)) / 60 AS windowMinutes
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Azure%'
  AND CATEGORYNAME(category) ILIKE '%Authentication%'
  AND username IS NOT NULL
  AND username != ''
  AND "IBM QRadar Field" = 'Success'
GROUP BY username, DATEFORMAT(starttime, 'YYYY-MM-dd HH')
HAVING
  COUNT(DISTINCT sourcegeographiccountry) > 1
  AND LONG(MAX(starttime) - MIN(starttime)) < 3600

UNION ALL

-- MFA Bypass via Cookie Reuse Detection
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS firstSeen,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS lastSeen,
  username,
  'MFABypassViaCookie' AS detectionType,
  1 AS signinCount,
  0 AS windowMinutes
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Azure%'
  AND CATEGORYNAME(category) ILIKE '%Authentication%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%Active Directory%'
  AND QIDNAME(qid) ILIKE '%sign%'
  AND ("authenticationRequirement" = 'singleFactorAuthentication' OR "AuthenticationRequirement" = 'singleFactorAuthentication')
  AND (
    LOWER("authStepResultDetail") LIKE '%previously satisfied%'
    OR LOWER("authStepResultDetail") LIKE '%token broker%'
    OR LOWER("authStepResultDetail") LIKE '%existing token%'
  )
  AND (
    LOWER("appDisplayName") LIKE '%microsoft 365%'
    OR LOWER("appDisplayName") LIKE '%office 365%'
    OR LOWER("appDisplayName") LIKE '%azure portal%'
    OR LOWER("appDisplayName") LIKE '%microsoft teams%'
    OR LOWER("appDisplayName") LIKE '%sharepoint%'
    OR LOWER("appDisplayName") LIKE '%onedrive%'
    OR LOWER("appDisplayName") LIKE '%exchange%'
    OR LOWER("appDisplayName") LIKE '%outlook%'
  )
ORDER BY firstSeen DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Azure Active Directory via QRadar DSM Microsoft Azure DSM Identity and Access Management log sources

Required Tables

events

False Positives

VPN users whose traffic egresses from a different country than their physical location, particularly corporate split-tunnel VPNs or proxy configurations that shift apparent geolocation
Automated service principals or application accounts performing programmatic authentication across multiple Azure regions, which may satisfy authentication via existing delegated tokens
Conditional Access policies configured to allow passwordless or certificate-based single-factor authentication for privileged users, legitimately producing single-factor authentication events

Sumo Logic CSE

sql

// MFA Bypass via Cookie Reuse
_sourceCategory=azure/aad/signin
| json "ResultType", "UserPrincipalName", "IPAddress", "AppDisplayName", "AuthenticationRequirement", "RiskLevelDuringSignIn", "CorrelationId" nodrop
| json "LocationDetails.countryOrRegion" as Country nodrop
| json "LocationDetails.city" as City nodrop
| json "AuthenticationDetails[0].authenticationMethod" as AuthMethod nodrop
| json "AuthenticationDetails[0].authenticationStepResultDetail" as AuthStepResult nodrop
| where ResultType == "0"
| eval IsCookieReuse = if(matches(AuthStepResult, "(?i)(previously satisfied|token broker|existing token)"), 1, 0)
| eval IsSingleFactor = if(AuthenticationRequirement == "singleFactorAuthentication", 1, 0)
| eval IsSuspiciousApp = if(matches(AppDisplayName, "(?i)(microsoft 365|office 365|azure portal|teams|sharepoint|onedrive|exchange|outlook)"), 1, 0)
| eval IsRisky = if(matches(RiskLevelDuringSignIn, "(?i)(medium|high)"), 1, 0)
| eval MFABypassCookie = if(IsCookieReuse == 1 and IsSingleFactor == 1 and IsSuspiciousApp == 1, 1, 0)
| where IsCookieReuse == 1 or IsRisky == 1
// Aggregate by user over 1-hour windows
| timeslice 1h
| stats count as SigninCount,
        values(Country) as Countries,
        values(IPAddress) as IPAddresses,
        values(AppDisplayName) as Apps,
        dc(Country) as UniqueCountries,
        dc(IPAddress) as UniqueIPs,
        max(MFABypassCookie) as MFABypass,
        max(IsRisky) as RiskySignin
        by UserPrincipalName, _timeslice
| eval ImpossibleTravel = if(UniqueCountries > 1, 1, 0)
| eval ThreatScore = MFABypass + ImpossibleTravel + RiskySignin
| where ThreatScore > 0
| eval DetectionType = if(ImpossibleTravel == 1 and MFABypass == 1, "ImpossibleTravel+MFABypass",
                     if(ImpossibleTravel == 1, "ImpossibleTravel",
                     if(MFABypass == 1, "MFABypassViaCookie", "AnomalousSignin")))
| fields _timeslice, UserPrincipalName, DetectionType, ThreatScore, UniqueCountries, Countries, UniqueIPs, IPAddresses, Apps, MFABypass, ImpossibleTravel, RiskySignin, SigninCount
| sort by ThreatScore desc

high severity medium confidence

Data Sources

Azure Active Directory Sign-in Logs Azure AD via Sumo Logic Azure App

Required Tables

azure/aad/signin

False Positives

Users accessing Microsoft 365 through Conditional Access compliant devices in named locations where MFA has been previously satisfied and a refresh token is being used — this is expected behavior and will trigger cookie reuse signals
Mobile application sign-ins using broker authentication (Microsoft Authenticator app as token broker) which legitimately produce Token broker authentication step results
Global administrators or privileged users accessing Azure Portal from multiple geographic locations due to legitimate business travel within the same day, particularly when using personal hotspots or hotel networks

Google Chronicle / SecOps

yaral

rule T1550_004_web_session_cookie_theft {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects web session cookie theft and reuse — impossible travel or MFA bypass via stolen session cookie on Microsoft 365/Azure services (T1550.004). Covers AiTM phishing kits including Evilginx2, Modlishka, Muraena used by Star Blizzard/APT29."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1550.004"
    reference = "https://attack.mitre.org/techniques/T1550/004/"
    version = "1.0"

  events:
    $signin1.metadata.event_type = "USER_LOGIN"
    $signin1.metadata.product_name = "Azure Active Directory"
    $signin1.security_result.action = "ALLOW"
    $signin1.principal.user.userid = $user
    $signin1.principal.location.country_or_region = $country1
    $signin1.network.ip_protocol = "TCP"

    $signin2.metadata.event_type = "USER_LOGIN"
    $signin2.metadata.product_name = "Azure Active Directory"
    $signin2.security_result.action = "ALLOW"
    $signin2.principal.user.userid = $user
    $signin2.principal.location.country_or_region = $country2

    // Impossible travel: different countries, same user, within 60 minutes
    $country1 != $country2
    $signin1.metadata.event_timestamp.seconds < $signin2.metadata.event_timestamp.seconds
    ($signin2.metadata.event_timestamp.seconds - $signin1.metadata.event_timestamp.seconds) < 3600

  match:
    $user over 1h

  condition:
    $signin1 and $signin2
}

rule T1550_004_mfa_bypass_cookie_reuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MFA bypass via session cookie reuse — single factor authentication completion on Microsoft 365/Azure workloads where authentication was satisfied by an existing token or cookie, indicating stolen session cookie replay (T1550.004)."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1550.004"
    reference = "https://attack.mitre.org/techniques/T1550/004/"
    version = "1.0"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.metadata.product_name = "Azure Active Directory"
    $e.security_result.action = "ALLOW"
    $e.principal.user.userid = $user
    // Single factor authentication requirement
    $e.extensions.auth.auth_details = "singleFactorAuthentication"
    // Cookie or token broker satisfaction
    (
      re.regex($e.security_result.description, `(?i)(previously satisfied|token broker|existing token)`) or
      re.regex($e.target.application, `(?i)(microsoft 365|office 365|azure portal|microsoft teams|sharepoint|onedrive|exchange|outlook)`)
    )

  match:
    $user over 1h

  condition:
    #e >= 1
}

high severity medium confidence

Data Sources

Azure Active Directory via Google Chronicle Ingestion Microsoft Azure Identity Logs (UDM normalized)

Required Tables

USER_LOGIN UDM events Azure Active Directory log feed

False Positives

Primary refresh token (PRT) usage by Hybrid Azure AD joined devices where sign-in completes via the PRT mechanism, which Chronicle may normalize as token broker or existing token satisfaction
Global users with Microsoft 365 licenses accessing services while traveling internationally, where the IP geolocation differs from their registered country, particularly for employees on back-to-back international flights using airline Wi-Fi
Federated identity providers or SAML-based SSO integrations where the authentication token is issued by a third-party IdP and passed to Azure AD, appearing as an existing token satisfaction rather than interactive MFA

CrowdStrike LogScale (CQL)

cql

// T1550.004 — Web Session Cookie Theft Detection in CrowdStrike LogScale
// Focuses on Identity Protection events and OAuth token abuse patterns

// Detection Path 1: Impossible Travel via Identity Events
#event_simpleName=UserLogon OR #event_simpleName=OAuthTokenCreated
| UserId != ""
| GeoCountry != ""
| table([_time, UserId, UserPrincipalName, SrcIP, GeoCountry, GeoCity, ApplicationName, AuthenticationResult, AuthenticationType, CorrelationId])
| groupBy([UserId], function=[
    collect([GeoCountry], multival=true, limit=100),
    collect([SrcIP], multival=true, limit=100),
    collect([ApplicationName], multival=true, limit=100),
    min(_time, as=firstSeen),
    max(_time, as=lastSeen),
    count(as=signinCount)
  ])
| UniqueCountries := array:length(GeoCountry[])
| WindowSeconds := lastSeen - firstSeen
| ImpossibleTravel := if(UniqueCountries > 1 AND WindowSeconds < 3600, then=1, else=0)
| where ImpossibleTravel == 1
| sort(lastSeen, order=desc)

// Detection Path 2: MFA Bypass via Cookie/Token Reuse (Identity Protection)
// Run separately or union with path 1
#event_simpleName=IdentityProtectionEvent OR #event_simpleName=OAuthTokenCreated
| AuthenticationRequirement = "singleFactorAuthentication"
| (
    match(field=AuthStepResultDetail, regex="(?i)(previously satisfied|token broker|existing token)", strict=false)
    OR match(field=TokenIssuerType, regex="(?i)(azuread|oauth)", strict=false)
  )
| match(field=ApplicationName, regex="(?i)(microsoft 365|office 365|azure portal|teams|sharepoint|onedrive|exchange|outlook)", strict=false)
| table([_time, UserId, UserPrincipalName, SrcIP, GeoCountry, GeoCity, ApplicationName, AuthenticationRequirement, AuthStepResultDetail, RiskLevel, CorrelationId])
| eval DetectionType="MFABypassViaCookie"
| sort(_time, order=desc)

high severity low confidence

Data Sources

CrowdStrike Falcon Identity Threat Protection CrowdStrike Falcon Zero Trust Assessment Azure AD events forwarded via Falcon Identity Connector

Required Tables

UserLogon events OAuthTokenCreated events IdentityProtectionEvent Falcon Identity Threat Protection telemetry

False Positives

CrowdStrike Falcon Identity connector may not have full visibility into Azure AD authentication details such as AuthStepResultDetail unless the Identity Threat Protection module is fully deployed and integrated with Azure AD, leading to incomplete detection coverage rather than false positives
Legitimate OAuth application registrations performing daemon or background authentication using existing refresh tokens on behalf of users, which produce OAuthTokenCreated events that match the single-factor cookie satisfaction pattern
Users working across multiple corporate locations in different countries (e.g., UK and Ireland offices, US border regions) where legitimate same-day travel produces impossible travel signals within the detection window

Last updated: 2026-04-21 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1550.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1550Use Alternate Authentication Material

Related Sub-techniques

T1550.001Application Access Token T1550.002Pass the Hash T1550.003Pass the Ticket

Web Session Cookie

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections