Infostealers Are Bypassing MFA by Stealing Session Cookies

Your company deployed MFA, and that was the right call. But attackers have moved past it. According to the Constella Intelligence 2026 Identity Breach Report, 75% of breaches this year are identity-based, and the weapon driving that shift is infostealer malware that harvests browser session cookies alongside passwords. Those stolen cookies let attackers walk into your accounts without ever triggering an MFA prompt.

Infostealers Have Evolved Beyond Password Theft

Infostealer malware like RedLine, Raccoon, and Lumma has been harvesting saved passwords from browsers for years. We covered how that attack chain works in our post on credential theft and password reuse. The short version: an employee opens a malicious attachment or downloads a compromised file, and the malware silently scrapes every credential saved in their browser.

What changed in 2025 and 2026 is what infostealers collect beyond passwords. Modern variants grab session cookies, autofill data, browser extension tokens, and cached authentication credentials. Session cookies are the most dangerous target because they represent an already-authenticated session. When an attacker has your session cookie, they don’t need your password or your MFA code. They paste the cookie into their own browser and inherit your logged-in session, complete with “trusted device” status.

The malware ecosystem has industrialized this process. According to Frontier Enterprise’s analysis of AI-powered infostealers, infostealers processed 51.7 million credential packages in 2025, a 72% increase year over year, infecting 24.8 million devices globally. Each package can contain dozens of saved passwords, session cookies, and authentication tokens from a single compromised machine.

How Session Cookie Theft Bypasses MFA Entirely

MFA works by verifying identity at the point of login. You enter your password, then confirm with a second factor like an authenticator app code or push notification. Once authentication succeeds, the service issues a session cookie that tells the server “this user already proved who they are.” Every subsequent request uses that cookie instead of re-authenticating.

Session cookie theft skips the entire login process. The attacker never enters a password. They never encounter an MFA challenge. They import the stolen cookie into their browser and the service treats them as the legitimate, already-authenticated user. From the perspective of your Microsoft 365 tenant or banking portal, it looks like a normal session from a trusted device.

This is different from the adversary-in-the-middle (AiTM) phishing attacks covered in the Guardz 2026 threat report analysis, where attackers intercept MFA codes in real time by proxying the login page. Session cookie theft doesn’t require the employee to do anything at the time of the attack. The cookie was stolen days or weeks earlier by an infostealer running silently on a personal device. The attacker uses it whenever they’re ready.

Traditional security tools struggle to detect this because the session looks legitimate. The cookie is valid. The authentication is already complete. Unless your monitoring specifically watches for anomalous session behavior (logins from unexpected locations, device fingerprint changes mid-session, or impossible travel patterns), the access appears normal.

The Scale of the Identity Crisis

The volume of credential and session data exposure is accelerating faster than most businesses realize.

The Constella Intelligence report found a 261% increase in plaintext password exposure year over year, with 68.9% of all breached passwords arriving in cleartext rather than hashed. Attackers don’t even need to crack these passwords. They’re readable immediately.

Security Boulevard’s analysis of identity-based threats in 2026 identifies nine distinct categories of identity attack now in active use, from session hijacking and credential stuffing to service account exploitation and OAuth token abuse. The common thread across all nine is that attackers target identity systems rather than network infrastructure. The firewall protects the building. Identity protection guards the person, and the person is now the primary target.

ITECS Online’s 2026 identity analysis reinforces this shift: compromising a single identity gives attackers access to every system that identity touches. A stolen session cookie for an employee’s Microsoft 365 account can open email, SharePoint, Teams, and any connected third-party application using single sign-on.

Trend Micro’s research on credential theft evolution shows that infostealer operations have professionalized into a supply-chain model. Separate groups specialize in distribution (getting the malware onto devices), collection (harvesting and packaging credentials), and monetization (selling access to ransomware operators and initial access brokers). This specialization means the volume and quality of stolen credentials continue to increase even as individual malware families get disrupted.

What Your Business Should Do Now

MFA remains essential. Don’t disable it. But treat it as one layer in a multi-layer identity protection strategy, not the entire strategy.

Deploy EDR/MDR that detects infostealer behavior. Infostealers run briefly and exfiltrate data quickly, often in under a minute. Endpoint detection and response that monitors for credential harvesting behavior, such as processes accessing browser credential stores and unusual outbound data transfers, catches infostealers that traditional antivirus misses. Pairing EDR with 24/7 managed detection and response ensures someone acts on those alerts immediately rather than the next business day.

Implement conditional access policies with session controls. Conditional access policies in Microsoft Entra ID can restrict sessions based on device compliance, location, and risk level. Requiring device compliance means a stolen cookie replayed from an unmanaged device gets blocked. Session lifetime limits force re-authentication periodically, which reduces the window during which a stolen cookie remains valid.

Move high-value accounts to FIDO2 or passkeys. Phishing-resistant MFA using FIDO2 security keys or passkeys eliminates the credential harvest entirely. There’s no password saved in the browser for an infostealer to steal. The authentication is cryptographically bound to the legitimate domain, so proxy attacks also fail. Start with administrator accounts and finance team members, then expand. Your managed security provider can plan the rollout.

Monitor for credential exposure on the dark web. Dark web monitoring scans infostealer logs and breach databases for your company’s email addresses and credentials. When compromised credentials surface, your team can force password resets and revoke active sessions before attackers use them. Given the 72% year-over-year increase in infostealer activity, continuous monitoring is a baseline requirement.

Enforce browser hygiene across the company. The simplest risk reduction: stop saving passwords in browsers. Deploy a company-managed password manager, disable the browser’s built-in password save feature via group policy, and include this topic in security awareness training. Infostealers harvest what’s saved in the browser. If credentials and cookies aren’t persisted there, the malware gets far less to work with.

The security perimeter has shifted from the network to the identity. Firewalls and VPNs protect infrastructure. Identity protection guards the people who access it. For businesses that invested in MFA and assumed authentication was handled, the infostealer evolution means one more step is required: monitoring and controlling what happens with authenticated sessions, not just the login itself.