
Over 42,000 CRA Accounts Breached: What to Know
More than 42,000 Canadian taxpayer accounts have been breached since 2020. Learn more about the data breach class-action lawsuit involving CRA accounts.
May 20, 2026 - Blog
Authored By Packetlabs

Phishing attacks have evolved dramatically over the past decade. What once consisted of poorly written emails and suspicious attachments has transformed into sophisticated campaigns capable of bypassing traditional security controls, multi-factor authentication (MFA), and user awareness training.
One of the latest developments in the phishing landscape is the growing use of what security researchers have dubbed "Misfortune Cookie" techniques: a category of attacks focused on stealing, manipulating, or abusing browser session cookies to impersonate legitimate users. Rather than stealing passwords directly, attackers target the authentication tokens that keep users logged into applications and cloud services.
This shift represents a significant challenge for organizations because it enables threat actors to bypass security measures that were once considered highly effective. Even users protected by strong passwords and MFA may be vulnerable if attackers successfully compromise browser session cookies.
As organizations continue migrating to cloud-based applications and remote work environments, understanding Misfortune Cookie phishing attacks is becoming increasingly important for cybersecurity teams.
This article explores how these attacks work, why they are effective, how attackers bypass MFA, and what organizations can do to defend against them.
To understand Misfortune Cookie phishing attacks, it's important to understand browser session cookies.
When users authenticate to an application, the application creates a session that allows the user to remain logged in without repeatedly entering credentials.
Instead of asking for a password every time a page loads, the application stores a small piece of data called a session cookie.
These cookies often contain:
Session identifiers
Authentication tokens
User preferences
Security attributes
State information
The browser automatically presents these cookies to the application during subsequent requests.
This creates a seamless user experience while reducing authentication friction.
Unfortunately, threat actors increasingly view these cookies as valuable targets.
Historically, cybercriminals focused on stealing:
Usernames
Passwords
Security questions
Banking credentials
Today, authentication has become more robust.
Organizations increasingly deploy:
Conditional access policies
Risk-based authentication
Passwordless technologies
Hardware security keys
As credential theft becomes more difficult, attackers have adapted.
Rather than stealing credentials, they steal authenticated sessions.
If an attacker obtains a valid session cookie, they may gain access to applications without needing:
Passwords
MFA codes
Push notifications
Security keys
From the application's perspective, the attacker appears to be the legitimate user.
The term "Misfortune Cookie" generally refers to phishing campaigns that target browser session cookies and authentication tokens rather than traditional credentials.
In these attacks, users are directed to malicious infrastructure designed to capture authentication data during legitimate login processes.
The objective is often to:
Intercept session tokens
Steal authentication cookies
Hijack active sessions
Bypass MFA protections
Maintain persistent access
Unlike traditional phishing attacks that stop after collecting usernames and passwords, Misfortune Cookie attacks focus on obtaining everything necessary to impersonate an authenticated user.
Although attack variations exist, most campaigns follow a similar workflow.
Attackers begin with a phishing message.
Common examples include:
Microsoft 365 alerts
Password expiration notices
HR communications
Invoice notifications
Cloud document sharing invitations
The goal is to convince users to click a malicious link.
Many modern phishing campaigns utilize reverse proxy frameworks.
These systems sit between the victim and the legitimate service.
The victim believes they are interacting directly with:
Microsoft 365
Google Workspace
Salesforce
VPN portals
Cloud applications
In reality, all traffic passes through attacker-controlled infrastructure.
The victim enters:
Username
Password
MFA code
Because the phishing infrastructure forwards requests to the legitimate application, authentication succeeds.
The user often notices nothing unusual.
After successful authentication, the legitimate service issues session cookies.
Instead of going directly to the user, these cookies pass through the attacker's infrastructure.
The attacker captures:
Session tokens
Authentication cookies
Authorization tokens
Access credentials
The victim remains logged in normally.
Meanwhile, the attacker now possesses the authenticated session.
Using the stolen cookie, the attacker imports the session into their own browser.
From the application's perspective:
Authentication already occurred
MFA already succeeded
Access is legitimate
The threat actor gains immediate access to the account.
Many organizations mistakenly believe MFA eliminates phishing risks.
While MFA remains essential, cookie theft attacks target a different stage of the authentication process.
MFA protects authentication.
Session cookies represent post-authentication access.
The distinction is critical.
Example sequence:
User enters credentials.
User completes MFA challenge.
Application issues session token.
Session token grants ongoing access.
If threat actors steal the session token after MFA completes, they effectively bypass the need to authenticate themselves.
This is why cookie theft attacks have become so popular among sophisticated threat actors.
Many Misfortune Cookie campaigns leverage adversary-in-the-middle (AiTM) techniques.
An AiTM attack places attacker-controlled infrastructure between:
The user
The legitimate application
The infrastructure transparently forwards requests while recording sensitive information.
Advantages for cybercriminals include:
MFA interception
Session token theft
Real-time credential harvesting
Increased success rates
Because authentication occurs against legitimate services, victims often see valid login pages and expected workflows.
This significantly increases the effectiveness of phishing campaigns.
Threat actors prioritize services that provide broad organizational access.
Common targets include:
Compromised accounts may provide access to:
Outlook
SharePoint
Teams
OneDrive
Exchange Online
A single account can expose significant organizational data.
Threat actors seek access to:
Gmail
Drive
Calendar
Administrative consoles
These environments frequently contain sensitive corporate information.
Identity platforms often serve as gateways to multiple applications.
Examples include:
Federation services
Identity management portals
Compromising one identity provider account may unlock dozens of connected applications.
Session hijacking can provide attackers with internal network access.
This may facilitate:
Lateral movement
Privilege escalation
Data theft
Ransomware deployment
Once threat actors gain access, they rarely stop at account compromise.
Common follow-on activities include:
Attackers monitor communications and impersonate employees.
Objectives may include:
Wire fraud
Invoice redirection
Vendor impersonation
Executive fraud
Compromised sessions often provide access to:
Intellectual property
Customer records
Financial documents
Legal files
Sensitive information may be exfiltrated without triggering traditional malware detections.
Attackers frequently leverage compromised accounts to target coworkers.
Because emails originate from legitimate users, success rates often increase dramatically.
Threat actors search for:
Administrative roles
Privileged accounts
Security groups
Misconfigurations
Compromising a single user may eventually lead to domain-wide access.
Organizations should monitor for indicators that suggest session hijacking activity.
Potential warning signs include:
Sessions originating from unexpected regions may indicate compromise.
The same account appearing active from multiple geographic locations can signal session theft.
Examples include:
Mass downloads
Bulk email forwarding
Permission changes
File sharing modifications
Repeated successful authentications followed by suspicious activity warrant investigation.
Attackers often register additional devices or authentication methods to maintain persistence.
Organizations cannot rely on MFA alone.
Defending against session hijacking requires multiple layers of protection.
Traditional MFA methods remain vulnerable to interception.
Organizations should consider:
Hardware-based authentication
WebAuthn implementations
Passkeys
These technologies are significantly more resistant to adversary-in-the-middle attacks.
Conditional access policies can evaluate:
Device trust
Geographic location
Risk scores
User behavior
This reduces the usefulness of stolen session tokens.
Long-lived sessions increase attacker opportunities.
Organizations should:
Reduce session duration
Require reauthentication
Limit persistent sessions
Shorter sessions decrease attacker dwell time.
Security teams should actively monitor:
Session creation
Session reuse
Geographic anomalies
Device changes
Authentication irregularities
Behavioral analytics can help identify suspicious activity early.
Browser protections can reduce exposure.
Examples include:
Secure cookie attributes
HTTP-only cookies
SameSite protections
Browser isolation technologies
These controls help limit cookie theft opportunities.
Users should understand that:
MFA is not infallible
Legitimate-looking login pages can be malicious
URL verification matters
Unexpected login requests should be reported
Security awareness remains an important defense layer.
Organizations should regularly assess their resilience against modern phishing attacks.
Effective security testing may include:
These exercises evaluate:
User susceptibility
Reporting behavior
Awareness effectiveness
Red teams simulate real-world adversaries attempting to:
Harvest credentials
Capture sessions
Bypass MFA
Escalate privileges
These engagements often reveal weaknesses that automated tools miss.
Cloud-focused testing can identify:
Authentication weaknesses
Session management issues
Identity configuration flaws
Access control gaps
Organizations should regularly evaluate:
Identity providers
MFA configurations
Session policies
Conditional access controls
Identity infrastructure has become a primary attack surface.
Several factors contribute to the growth of Misfortune Cookie phishing campaigns.
These include:
Widespread MFA adoption
Growth of cloud services
Remote work environments
Improved phishing frameworks
Availability of attack kits
Increased attacker sophistication
As credential theft becomes more difficult, session theft becomes more attractive.
Threat actors continue adapting their techniques to target the weakest link in authentication workflows.
The cybersecurity industry is gradually moving toward authentication methods designed to resist phishing and session abuse.
Emerging trends include:
Passkeys
Hardware security keys
Continuous authentication
Device-based trust models
These approaches reduce reliance on traditional credentials and strengthen defenses against session hijacking attacks.
Organizations that modernize authentication controls will be better positioned to resist evolving phishing techniques.
Misfortune Cookie phishing attacks represent a significant evolution in cybercriminal tactics. Rather than stealing passwords alone, attackers increasingly target session cookies and authentication tokens that grant direct access to cloud services, business applications, and corporate resources.
By leveraging adversary-in-the-middle techniques, reverse proxy infrastructure, and session hijacking methods, attackers can bypass traditional security controls and exploit authenticated sessions even when multi-factor authentication is enabled.
As organizations continue adopting cloud-first architectures and remote work models, protecting identity infrastructure and session management becomes increasingly critical. Defending against these attacks requires more than strong passwords and MFA. Security teams must implement phishing-resistant authentication, conditional access controls, behavioral monitoring, and regular security testing to reduce risk.
The organizations that recognize session cookies as valuable security assets—and protect them accordingly—will be far better equipped to defend against the next generation of phishing threats.