Steal Web Session Cookie

§ Where this technique fits

§ Dossiers chaining this technique

• Compromised CFO mailbox → invoice fraud → wire fraud

  AITM phishing nets the CFO's M365 session. Attacker sets a mail rule to hide replies, edits a pending invoice's wire details, sends the modified PDF to AP from the legit mailbox.

  step 2 / 6

• Citrix Bleed → steal authenticated session → MFA bypass

  Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.

  step 3 / 6

• FIDO2 caBLE hybrid → phone authenticator hijack

  Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.

  step 4 / 6

• Malicious browser extension → cookie harvest → ATO

  Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.

  step 4 / 6

• AITM phishing (Evilginx) → M365 session theft → mailbox exfil

  Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.

  step 4 / 7

• Compromised root CA → arbitrary cert issuance → silent MITM

  Compromise the private key (or signing process) of a publicly-trusted root or intermediate. Issue an unlogged cert for the target hostname; use it for invisible TLS MITM until CT-log monitoring or revocation catches up.

  step 5 / 6

• 5G core GTP-U user-plane injection → subscriber MITM

  Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.

  step 5 / 5

• F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.

  step 5 / 6

• Compromised extension auto-update → fleet compromise

  Take over a popular extension's developer account (credential stuffing on the store, abandoned email domain). Push a malicious version — every existing install runs attacker code on next launch.

  step 5 / 5

• Output injection → admin XSS in support panel

  Customer chats with support LLM. Prompt injection makes the model emit a malicious markdown link / image; when an admin views the conversation in the support panel, JS / pixel-tracker fires.

  step 5 / 5

• Web cache poisoning → XSS → admin session hijack

  An unkeyed header reflects into the response. Poison the cache with a payload, wait for an admin to fetch the cached page, exfiltrate their session.

  step 5 / 6

• Subdomain takeover → ACME DNS-01 → trusted cert for victim host

  Find a dangling CNAME / NS record. Claim the underlying resource; complete Let's Encrypt's DNS-01 challenge for the parent hostname. Now have a publicly-trusted cert for victim.example.com — chain into AITM.

  step 6 / 6

• Browser-in-the-Browser → credential theft on a trusted page

  Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM.

  step 6 / 6

• Subdomain takeover → cookie theft → account takeover

  Dangling CNAME on a corporate subdomain (e.g. mail.target.com → unclaimed Heroku app). Claim it, serve a malicious page, harvest session cookies scoped to *.target.com.

  step 6 / 7

§ What commonly comes next

1. 01
   Valid Accounts

   T1078 · Initial Access
   seen 6×
2. 02
   Certificate Transparency Monitoring

   PKI-CT-MONITOR · Reconnaissance
   seen 1×
3. 03
   Mailbox Forwarding Rule

   M365-MAILBOX-FORWARD · Collection
   seen 1×
4. 04
   Pass the Ticket

   T1550.003 · Lateral Movement
   seen 1×