title: Web Session Cookie (T1550.004) id: df00tech-t1550-004 status: experimental description: "Adversaries steal and reuse valid web session cookies to authenticate to web applications and cloud services, effectively bypassing multi-factor authentication. Because session cookies represent a completed authentication event, they allow adversaries to impersonate users without knowing credentials or possessing their MFA device. Cookies are commonly obtained via adversary-in-the-middle (AiTM) phishing frameworks such as Evilginx2, Modlishka, or Muraena, which proxy the legitimate login flow and capture the post-MFA session token in real time. Once imported into an attacker-controlled browser or HTTP client, the stolen cookie grants full access to the victim's SaaS applications, cloud consoles, and email for the lifetime of the session. Star Blizzard (APT29 affiliate) has used this technique via EvilGinx to compromise email accounts protected by MFA." references: - https://attack.mitre.org/techniques/T1550/004/ - https://df00tech.com/detections/T1550.004 author: df00tech date: 2026/04/21 tags: - attack.t1550.004 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: product: azure detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Legitimate VPN use where user authenticates from one country then routes traffic through another country's VPN exit node" - Corporate proxy or split-tunnel configurations that cause authentication events to appear from multiple geographic locations - "Travel — a user who physically travels between countries, especially with short flights or near-border regions" - "Conditional Access policies that explicitly allow persistent browser sessions, generating 'Previously satisfied' MFA claims for legitimate users" - Shared accounts or break-glass emergency accounts accessed from multiple locations by different administrators level: high