Infostealer 2026: How Stolen Session Cookies Bypass MFA

⏱️ 8 min read

In February, a developer at a DAX company receives a seemingly harmless ZIP file via LinkedIn. He opens it-nothing happens. Two weeks later, his SOC alerts him: his session cookies are being sold on a Russian-language marketplace, including an active Microsoft 365 session. MFA, Conditional Access, and geofencing-all bypassed. Welcome to the reality of 2026: infostealers have long been the most underestimated threat to enterprises, and they are evading precisely the controls that CISOs have invested the most in over the past five years.

Key Takeaways

1. Infostealers pose a significant, often overlooked threat to enterprise security.
2. Traditional security measures like MFA and geofencing can be circumvented by advanced attackers.
3. Companies must reassess their defenses against evolving threats such as infostealers.

Frequently Asked Questions

What is an infostealer?

An infostealer is a type of malware designed to secretly collect sensitive information from a victim’s device, such as login credentials, browser cookies, or financial data. These tools are commonly used by cybercriminals to gain unauthorized access to systems and accounts.

How do infostealers bypass MFA and other security measures?

Infostealers exploit vulnerabilities in user behavior and system configurations. For example, they may trick users into opening malicious files or links, which then allow the malware to capture session cookies or other authentication tokens. Once inside, these tools can evade multi-factor authentication (MFA) and geofencing by mimicking legitimate user activity or using stolen credentials.

Why are infostealers considered the “most underestimated threat”?

Unlike ransomware or phishing attacks, infostealers operate silently in the background, making them harder to detect. They often remain undetected for extended periods, allowing attackers to exfiltrate large amounts of sensitive data before any action is taken. This stealthy nature makes them particularly dangerous for organizations.

What steps can companies take to protect themselves against infostealers?

1. Educate employees about the risks of opening suspicious files or clicking on unknown links.
2. Implement endpoint detection and response (EDR) solutions to monitor for unusual activity.
3. Regularly update software and patch known vulnerabilities.
4. Use advanced threat detection tools that can identify anomalous behavior indicative of infostealer activity.
5. Conduct regular security audits and penetration testing to assess potential weaknesses in your infrastructure.

Key Takeaways

• Infostealer malware specifically steals session cookies, tokens, and credentials: RedLine, Lumma, Raccoon, Vidar, and several successors have been active for years and continue to evolve as a service.
• Stolen session cookies bypass MFA: If an attacker possesses a valid session, they no longer need to authenticate. Conditional Access only kicks in when a new login flow is initiated.
• Marketplaces like Russian Market and its Genesis successor trade millions of credentials monthly: Attackers purchase credentials based on domain, industry, or country. Access to a company can cost between 10 and 300 euros.
• EDR solutions often detect infostealers too late: The malware typically remains on the system for only minutes before exfiltrating data and self-deleting. Many traditional detection mechanisms fail to trigger in time.
• Defense must be organizational, not just technical: Session lifetime limits, device trust policies, continuous access evaluation, and phishing-resistant authentication are essential components for cybersecurity preparedness by 2026.

How an Infostealer Actually Works in 2026

The engineering behind modern infostealers lies not in the sophistication of individual attacks, but in the industrialization of the payload. A RedLine or Lumma builder is rented out as a service via Telegram, with monthly subscriptions ranging from $100 to $300. Customers receive a uniquely signed binary, a configuration interface for exfiltration destinations, dashboard access to stolen data, and often AI chatbot support for distribution-related questions. This is no hobbyist scene-it’s a SaaS marketplace complete with customer service.

The process on the victim system is typically straightforward, which is precisely why it succeeds. The stealer is delivered through a loader-often via cracked software downloads, fake installers for popular tools, or ZIP files shared on social media. Once executed, the malware scans the system for standard paths used by Chromium browsers, Firefox, Discord, Telegram, Steam, crypto wallets, and FTP clients. It extracts encrypted cookie databases, decrypts them using the Windows DPAPI key of the logged-in user, compresses everything into a ZIP file, exfiltrates the archive to a command-and-control server, and then terminates itself. In most cases, the entire operation takes less than two minutes.

Afterward, the data ends up on one of the well-known marketplaces. Russian Market has been the go-to destination for corporate credentials for years, while successors to the Genesis Market-seized by the FBI in 2023-serve the same clientele. Attackers filter these listings by domain suffix, cookie age, and available session types. A dataset containing fresh Microsoft 365 session cookies paired with a domain account from a DAX subsidiary can fetch anywhere from four- to three-digit sums, depending on quality and context.

“We repeatedly observe the same pattern among our client base: MFA is properly enabled, Conditional Access is active, and device enrollment is in place-but a single personal laptop infected with an infostealer is enough to completely bypass the security perimeter. The issue of session cookies remains largely unrecognized by most CISOs.”

– Typical feedback from German incident response teams, 2025

Why MFA Alone Doesn’t Solve the Problem

The assumption that MFA makes systems phishing-resistant is, in reality, incorrect. Traditional MFA methods-SMS, push notifications, and TOTP-authenticate a login attempt. Once successful, the system issues a session token. This session typically lasts anywhere from eight hours to 90 days, depending on the configuration. If an attacker steals these session cookies during this period and injects them into their own system, they can gain access to the account without any further authentication: no MFA prompt, no security questions, and no conditional access checks.

In 2024, Microsoft introduced Continuous Access Evaluation (CAE) for Entra ID specifically to address this vulnerability. CAE enables the identity provider and workloads to continuously monitor conditions and invalidate sessions within seconds if anomalies are detected. However, as of 2026, CAE has not yet been fully rolled out across all environments. While many enterprise organizations have enabled it, app-level support remains inconsistent. Implementing CAE with Office 365, Teams, Exchange Online, and SharePoint closes a significant number of attack vectors-but not all of them.

The superior solution lies in phishing-resistant authentication based on FIDO2 standards. Passkeys and hardware-based security keys intercept credential theft attacks at their source by cryptographically binding the authentication process to the device, thereby preventing replay attacks even when credentials are compromised. However, passkeys do not protect against already stolen session cookies. The ideal approach combines phishing-resistant login with short-lived session durations and continuous session invalidation mechanisms.

– MFA alone does not prevent attackers from gaining unauthorized access if session cookies are stolen.
– Microsoft’s Continuous Access Evaluation (CAE) aims to detect and invalidate suspicious sessions in real time, but its adoption and app support are still limited.
– Phishing-resistant authentication using FIDO2 standards like Passkeys offers stronger protection against credential theft, but it must be paired with other measures such as short-lived sessions and continuous invalidation to provide comprehensive security.

What is Continuous Access Evaluation (CAE)?

Continuous Access Evaluation (CAE) is a feature introduced by Microsoft in 2024 for Entra ID. It continuously monitors user sessions and workloads to detect anomalies, allowing for immediate session invalidation if suspicious activity is identified. This helps mitigate risks associated with stolen session tokens or unauthorized access attempts.

How does FIDO2-based authentication differ from traditional MFA?

FIDO2-based authentication, such as Passkeys and hardware security keys, provides phishing resistance by tying the authentication process to the user’s device through cryptographic means. Unlike traditional MFA methods like SMS or TOTP, which rely on secondary factors, FIDO2 prevents attackers from exploiting stolen credentials because the authentication is tied directly to the device itself.

Can MFA and FIDO2 be used together?

Yes, combining MFA with FIDO2-based authentication creates a more robust security framework. While MFA adds an additional layer of verification, FIDO2 ensures that the initial login process is resistant to phishing attacks. Together, they offer enhanced protection against both credential theft and unauthorized access attempts.

Why EDR Solutions Don’t Fully Close the Gap

Modern EDR products are theoretically capable of detecting infostealer behavior. In practice, however, detection rates for new stealer variants are often disappointing in the first few weeks. The reason lies in the polymorphism model: stealer builders encrypt the binaries each time they are downloaded, resulting in a unique hash for every distributed instance. Signature-based detection fails completely in this scenario, and behavior-based detection is hampered by the short execution window.

In addition, many infections occur on personal devices. Bring Your Own Device (BYOD), remote work from home, a personal laptop used for side projects or gaming with cracked software-these are all channels that fall outside an organization’s EDR coverage. Even so, stolen credentials and cookies still end up on the dark web marketplace, and sessions can remain active even if the company’s actual device stays clean.

This leads to an uncomfortable truth: the assumption that modern EDR combined with multi-factor authentication (MFA) and device compliance is sufficient no longer holds in a world where infostealers are prevalent. Chief Information Security Officers (CISOs) must assume that a valid session cookie belonging to one of their users could be reused on a third-party device at any time, and the infrastructure needs to be able to detect such scenarios.

The Defense Stack for 2026

Keep session lifetimes short. The simplest measure is also the most aggressive. Microsoft, Okta, Google, and other major identity providers allow session policies with maximum lifetimes in the range of hours rather than days. By setting session lifetimes to four to eight hours and enforcing re-authentication for privileged actions, you reduce the window during which stolen cookies can be used to a fraction of what it would otherwise be.

Enable continuous access evaluation (CAE). Where available, CAE is the most effective measure against session theft. In Entra ID, CAE is configurable, and by 2026, most Microsoft 365 workloads support CAE-based invalidation. The prerequisite is that all client applications are CAE-aware, which in heterogeneous environments constitutes an auditing task.

Device trust and device binding. Modern identity systems support device binding for sessions. A session bound to a specific device cannot be reused on another device because the cryptographic device key is missing. Beyond Identity, Cisco Duo, Okta Device Trust, and Microsoft Intune offer this capability at varying levels of sophistication. Protecting critical applications with device binding renders infostealer attacks ineffective for these scenarios.

Credential monitoring in dark-web sources. Services such as Recorded Future, Flare, Hudson Rock, and KELA continuously scan relevant marketplaces for company domains and deliver alerts when new data sets appear. Organizations that embed this capability into their security operations centers (SOCs) often receive the first warning before an attacker exploits a session. Integration with SIEM and SOAR platforms has become standard practice by 2026.

Phishing-resistant authentication. Passkeys and FIDO2 hardware tokens form the foundation of every Zero Trust architecture designed for 2026. While they do not solve the session cookie problem, they dramatically shorten the initial entry point of the attack chain. No password phishing, no MFA fatigue attacks, and no stolen TOTP codes-and thus less initial access for everything that follows.

Key Takeaways

• Shortening session lifetimes significantly reduces the window of opportunity for attackers.
• Continuous Access Evaluation (CAE) is the most effective defense against session theft when properly configured.
• Device binding prevents session reuse across different devices, rendering infostealer attacks ineffective.
• Credential monitoring services provide early warnings about compromised credentials, enabling proactive response.
• Phishing-resistant authentication methods like Passkeys and FIDO2 tokens drastically reduce initial attack vectors.

Questions?

Q: Why is shortening session lifetimes considered the most aggressive measure?

A: Because it directly limits the time window during which stolen session cookies can be exploited, making them much less valuable to attackers.

Q: What is Continuous Access Evaluation (CAE), and why is it important?

A: CAE is a dynamic security mechanism that evaluates access permissions in real-time. It ensures that users retain access only as long as they meet predefined security criteria, providing an additional layer of protection against unauthorized access.

Q: How does device binding enhance security compared to traditional session management?

A: Device binding ties a session to a specific device using cryptographic keys. If an attacker attempts to use a stolen session on a different device, the session will fail because the necessary device-specific key is missing, effectively neutralizing the threat.

Q: Can credential monitoring services completely prevent session theft?

A: While these services cannot entirely prevent session theft, they provide early detection and alerts, allowing organizations to take immediate action before attackers can exploit compromised credentials.

Q: Are Passkeys and FIDO2 tokens sufficient to protect against all types of session-related threats?

A: No, they do not eliminate the need for other security measures. However, they significantly reduce the likelihood of successful phishing attacks and other common entry points for session theft, making them a crucial component of a comprehensive security strategy.

What the BKA and BSI See in the Infostealer Threat Landscape for 2025/26

The threat landscape reports from German authorities paint a clear picture for 2025 and 2026: Infostealer-based attacks are among the most active threats targeting German companies, classified by law enforcement and cybersecurity regulators as a structural problem. The key observation: Almost all documented ransomware incidents over the past twelve months that fell under the KRITIS reporting obligation did not begin with a direct breach of corporate systems. Instead, they started with credentials stolen via infostealers on third-party systems, which were later used weeks afterward as a targeted entry vector.

The decoupling between initial compromise and the actual attack is the most challenging aspect for forensic investigation. Today, an infostealer might infect a personal laptop, exfiltrate saved browser cookies belonging to a Microsoft 365 user, and the attacker who purchases those cookies weeks later from a marketplace has no technical connection whatsoever to the original infection. Security teams may only see an entry point in the form of a legitimate Office 365 session originating from a geographically plausible IP address and properly authenticated. Without telemetry from the marketplace ecosystem, this entry cannot be identified as malicious.

The organizational implication is clear: Defending against infostealers is not a project that can be handled in isolation by an IAM department, a SOC, or an endpoint team. It impacts identity management, endpoint management, SOC telemetry, threat intelligence gathering, HR policies, and the legal department simultaneously. Any organization that confines its efforts to just one of these silos will inevitably fall short.

In practice, this means CISOs must bring together at least four distinct roles that are still often kept strictly separate within many organizations. First, the identity team responsible for session policies and CAE configuration. Second, the endpoint team tasked with device trust and EDR telemetry. Third, the SOC for correlation and detection engineering. And fourth, the threat intelligence team focused on dark web monitoring and credential alerts. Organizations that integrate these four roles into a unified incident response matrix can demonstrably improve their response speed and significantly reduce the average dwell time of a stolen cookie within the production environment.

The good news is that this transition does not require new tools or additional budget. What it does need is a clear assignment of responsibilities, a shared metric, and a commitment to treat infostealer defense as a standalone program rather than as a secondary concern managed by individual teams.

Key Facts on a Glance

Typical Stealer Families in 2026: RedLine, Lumma, Raccoon v2, Vidar, Stealc, Rhadamanthys. All available as MaaS.

Typical Exfiltration Channels: Telegram bots, Cloudflare Workers, compromised web hosts, direct connections to C2 infrastructure.

Marketplaces: Russian Market, Exchange.sh, 2easy, as well as various Telegram channels for quick resale.

Price Range per Corporate Data Set: 10 to 300 Euros, with markups for Office 365 tokens, VPN access, and privileged accounts.

Mean Time to Detection without Dark Web Monitoring: According to incident response practitioners, an average of several weeks-often not until after a downstream attack.

Effective Countermeasures: Short session lifetimes, Continuous Adaptive Authentication (CAA), device trust mechanisms, phishing-resistant authentication, credential monitoring, and conditional access with risk scoring.

Frequently Asked Questions

Further Reading

→ Ransomware 2026: What Happens When Companies Pay and What Happens When They Don’t

→ Post-Quantum Cryptography: Why Companies Need to Upgrade Their Encryption Now

→ Deepfake Attacks on the C-Suite: How AI-Generated Voices Can Steal Millions

Image source: Pexels / Sora Shimazaki (px:5935787)

About the author: Tobias Massow

More articles by Tobias Massow