Cyberange

Insights All posts Threat intelligence

Browser-based initial access in 2026

The fastest-growing initial-access surface in the engagement data is the browser session, not the credential. Reverse-proxy phishing kits, OAuth consent abuse, extension supply-chain hijacks, and infostealer-fed cookie marketplaces — what changed, why MFA and password rotation no longer cover the dominant case, and which controls actually move the curve.

By Cyberange Threat Intel Published 17 Apr 2026
Share

For most of the last decade, initial access meant a credential — phished, leaked, or guessed. The 2026 pattern is different. The asset attackers are now after is the browser session itself: the cookie, the OAuth consent token, the extension’s auto-update channel, the re-authentication overlay that asks the user to confirm a login they didn’t initiate.

The shift matters because the controls most organisations leaned on between 2018 and 2024 — push MFA, password rotation on suspicion, conditional access on the IdP — were designed for credential theft. They do not address session theft cleanly, and in some configurations they do not address it at all.

Mandiant’s M-Trends 2026 puts a number on the urgency: the median time from initial-access event to hand-off to a second threat group has compressed from more than eight hours in 2022 to 22 seconds in 2025. A stolen session is monetised faster than a SOC can revoke it manually. The 12-month plan needs to assume that.

This post is a practitioner read of the four patterns we see most often, why the older controls do not cover them, and the three (and a half) controls that do.

The four patterns

1. Re-authentication overlay phishing (AiTM)

Adversary-in-the-middle phishing kits — Evilginx, EvilProxy, Tycoon 2FA, the newer Sneaky 2FA — sit as a reverse proxy between the victim’s browser and the legitimate IdP login page. They relay the credentials, relay the MFA challenge to the real IdP, and harvest the session cookie the IdP returns after MFA succeeds. The user sees a login that worked; the attacker walks away with a session that already cleared every control.

Microsoft’s Detection and Response Team (DART) named the mechanic in 2022: “By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly.” The kits are not exotic. Microsoft, with Europol’s Digital Crimes Unit and a vendor coalition, executed a takedown action against Tycoon 2FA infrastructure on 4 March 2026; in the period preceding the disruption, Microsoft estimated the platform’s campaigns reaching over half a million organisations per month. Push MFA alone does not see this.

An attacker registers a multi-tenant Entra (or Google Workspace) application and social-engineers a user to click the standard consent prompt. The user grants Mail.ReadWrite, Mail.Send, Calendars.ReadWrite, offline_access to an app that looks corporate. No password moves. No MFA challenge fires the next time the app calls Graph. The OAuth refresh-token flow is independent of the user’s interactive sign-in — which is exactly the design the attacker is now exploiting.

Microsoft tracks specific actor clusters running this technique under their Storm-#### nomenclature; the scope combinations observed in the wild (mail.readwrite + mail.send + offline_access for outbound phishing, mail.read + mail.readwrite + offline_access for mailbox harvest) are worth turning into a detection list. The 2023 advisory remains the reference text. Two years later, the technique is more common, not less.

3. Browser-extension supply chain

A benign extension — already installed, already trusted, already granted permissions — gets acquired. Or its maintainer’s Chrome Web Store account gets phished. Either way the next auto-update ships an attacker-controlled payload to every user with auto-update on, with all the permissions the user previously granted still in force.

Cyberhaven’s December 2024 incident is the reference case. A malicious extension version was published, lived for roughly 24 hours, and was pulled down — by which time it had reached approximately 400,000 browsers. Follow- on analysis by Secure Annex linked the incident to a wider cluster of twenty-nine compromised Chrome extensions with combined installs of about 2.5 million users, all hit in the same December window. The SOC has no detection signal for “a trusted extension auto-updated to a malicious version” before the malicious code runs. The control has to live earlier in the chain.

Commodity infostealers — LummaC2, RedLine, Stealc, Vidar, Raccoon — exfil the Chromium / Firefox cookie databases, autofill stores, and password vaults from infected endpoints. The logs are sold on infostealer marketplaces. Buyers replay session cookies into anti-detect browsers that spoof the original device fingerprint, sailing past IP-reputation and device-recognition checks.

The marketplace shape changed after the FBI’s April 2023 takedown of Genesis Market (Operation Cookie Monster). The trade migrated to Russian Market and 2easy, both of which had been operating in parallel pre-seizure, and to Exodus Marketplace, which positioned itself explicitly as a Genesis successor. Google’s Chrome Security team names LummaC2 as the dominant family and writes the consequence plainly: “Because cookies often have extended lifetimes, attackers can use them to gain unauthorized access to a user’s accounts without ever needing their passwords; this access is then often bundled, traded, or sold among threat actors.”

The velocity of the chain matters. The cookie-from-infection-to-use cycle has compressed from days to hours. By the time the EDR fires on the infostealer, the cookie is already in someone else’s hands.

Why MFA + password rotation do not address the dominant case

Two mechanics, in plain terms.

AiTM relays steal the session after MFA succeeds. Anything an authenticator does — push approval, OTP, SMS — happens upstream of the session cookie the attacker is harvesting. The attacker has stolen the proof that MFA already happened. Replaying the cookie satisfies the IdP the same way the original session did.

Password rotation does not invalidate already-issued tokens. Microsoft’s own documentation: “revoking refresh tokens via the above methods doesn’t invalidate the access token immediately, which can still be valid for up to an hour.” A team that rotates a compromised password without explicitly revoking refresh tokens through Graph and enabling Continuous Access Evaluation leaves a 60-minute residual window in which the attacker continues to operate against the very account the team thinks they have secured.

Verizon’s 2025 DBIR closes the loop on the macro picture: 22% of all breaches reviewed began with compromised credentials, and 88% of basic web- application attacks used stolen credentials. The credential is still critical. It is just no longer sufficient as a defence narrative.

Controls that move the curve

Phishing-resistant MFA on the IdP — the only protocol-layer break

FIDO2 security keys, passkeys, and Windows Hello for Business cryptographically bind the WebAuthn ceremony to the origin that initiated it (login. microsoftonline.com, accounts.google.com, login.okta.com). The attacker’s reverse-proxy origin never matches; the authenticator refuses to sign; the AiTM kit cannot complete the flow. This is the only control that breaks pattern 1 at the protocol layer. Everything else is detection or containment.

NIST SP 800-63B Revision 4 mandates phishing-resistant authenticators for AAL3. For organisations that have not begun the migration, the practical path is: enroll passkeys for IT and finance first (the highest-value sessions), then privileged accounts and external admins, then the broader user base over 12–18 months. The migration is the work; the rollout to a single tenant is not.

Session token binding — DBSC + CAE

Google’s Device Bound Session Credentials (DBSC) reached general availability on Chrome 146 for Windows in April 2026, with macOS following. The architecture, in one sentence: short-lived session cookies are cryptographically bound to a private key held in the device’s TPM (Windows) or Secure Enclave (macOS), and Chrome must prove possession of that key to the server to renew them. An exfiltrated cookie expires quickly and cannot be renewed from a different device. Microsoft is a co-design partner via the W3C Web Application Security Working Group.

Microsoft Entra’s Continuous Access Evaluation (CAE) plays the complementary role for already-issued tokens: it lets the IdP push revocation events to relying parties in near real time on a critical event, instead of waiting up to an hour for the access token to expire on its own. Enabling CAE is the single highest-leverage configuration change for organisations already on Entra ID.

DBSC adoption depends on IdPs implementing the server-side registration endpoints — that work is in motion but not uniform. Plan capex around FIDO2 first, DBSC as it lands per IdP, not the other way around.

The pattern-2 control surface is administrative, not cryptographic. Three moves close most of the window:

  • Restrict end-user consent to verified-publisher apps with low-risk delegated permissions. Anything granting mailbox, directory, or files scopes routes to admin consent.
  • Schedule a monthly review of the Consent to application audit log, joining against a watchlist of approved app IDs. Any consent grant to an app outside the watchlist with a high-risk scope is a ticket.
  • Run Microsoft Defender for Office 365’s “Detect and Remediate Illicit Consent Grants” playbook end-to-end in a tabletop. The first time you’ll have used the revocation flow is not when you want it to be the first time.

Managed browser + extension allow-listing — the half-control

The extension-supply-chain vector has no SOC signal before the malicious code runs. The control has to live at deployment time, not detection time. For tenants on Chrome Enterprise or Edge for Business: block side-loading, allow-list extensions by ID, and consider disabling automatic updates for the highest-trust extensions in favour of curated internal-store delivery. This is the one place where “deploy fewer browsers, in fewer configurations” is also the security answer.

SOC detection signatures

A few queries that earn their place in the analytics pack. None of these catch the attack at compromise; they catch it shortly after, in time to revoke. Pair every detection with an automated revocation playbook.

AiTM against Entra ID. The highest-yield signal is a session whose authentication IP differs from its post-authentication API-call IP within a short window. Microsoft’s community-maintained PossibleAiTMPhishingAttemptAgainstAAD.yaml (Azure-Sentinel repo) is the canonical implementation; the same logic transposes to any SIEM. Pure impossible-travel without session correlation has a high false-positive rate post-VPN and Tor era and should not be the primary signal.

OAuth grant to a non-allowlisted app with high-risk scopes. Join the AuditLogs Consent to application events against a watchlist of approved app IDs; alert on grants to anything outside the list that includes Mail.ReadWrite, Mail.Send, Files.ReadWrite.All, Calendars.ReadWrite, or offline_access. Workspace-side, the equivalent is the Admin SDK oauth_token events with a watchlist join.

Cookie replay across ASNs. Group sign-in events by session ID; alert on session IDs that touch more than one ASN in a single hour. The infostealer- fed reuse pattern shows up here loudly when the attacker doesn’t take the trouble to pivot through a residential proxy in the original geography — which is a meaningful fraction of the volume.

False-positive shape: corporate VPN egress changes, multi-device users with desktop + mobile on different networks, and Microsoft’s own first-party service IPs. Tune the watchlist quarterly.

The 12 months ahead

Three calls to plan around.

Stolen credentials and session theft will continue to displace exploits as the headline initial-access vector for cloud-native estates. Mandiant’s 2026 numbers put cloud-specific intrusions at 23% voice-phishing, 17% third- party compromise, 16% stolen credentials, 15% email phishing, 14% insider. The bottom three of that list are different framings of the same underlying issue: the identity stack is the new perimeter.

DBSC adoption will fragment. Chrome ships it; not every IdP has the server side. Plan for a 12–18 month period where DBSC is in place for some sessions and not others, and where the FIDO2 / CAE pairing carries most of the load.

Infostealer commoditisation will keep pulling the cookie-marketplace velocity tighter. The hour-budget for revocation will shrink. Build the revocation automation now — Graph API revoke, CAE event, watchlist update, ticket — rather than relying on a human to do it during an incident bridge.

Need a closer read on how this maps to your environment? Whether you are configuring Entra-side controls or structuring a FIDO2 and DBSC rollout sequence, the Cyberange consulting practice is available on retainer to help guide your team..

Found this useful? Pass it on.

Share

More from Insights

Read next

Back to Insights Pitch a post →