Multi-factor authentication (MFA) is widely regarded as one of the most effective defenses against account takeover, and it is, right up until attackers find a way around the login page entirely.
Session token theft is a technique that lets attackers skip the authentication step altogether. Rather than stealing a password and defeating an MFA prompt, they steal the token a browser receives after a successful login. That token is all they need. The password and the second factor become irrelevant.
Modern infostealers are purpose-built to harvest these tokens at scale, packaging them into logs sold on criminal marketplaces within hours of an infection. Understanding how this works, and why standard MFA guidance leaves this gap unaddressed, is increasingly important for any organization that relies on MFA as a primary line of defense.
Beyond passwords: What session tokens are and why they matter
When you log into a website, entering your password and completing an MFA process, the server does not ask you to prove your identity again on subsequent clicks, or logins. Instead, it issues a session token: a small, time-limited credential stored in your browser as a cookie.
This token functions as a temporary pass. Each time your browser makes a request, it sends the token to the server, which validates it silently. From the server’s perspective, the token is you. It is not connected to your password or your MFA device. It simply says: this person already authenticated, let them through.
Session tokens are a fundamental part of how the web works. They make browsing fast and seamless. But that convenience carries a cost. If an attacker obtains your session token, they do not need your password and they do not need to satisfy your MFA challenge. The authentication event has already happened. They hold the pass.
Browsers store these tokens as local files in their cookie vaults. That makes them highly accessible, which is exactly why infostealers target them.
How infostealers harvest session cookies
Infostealers such as LummaC2, RedLine, and Vidar are explicitly designed to extract browser storage. When one of these tools infects a device, it performs a methodical sweep of the browser’s local data, including passwords, autofill entries, browsing history, and crucially, the cookie vault where session tokens are held.
Browsers encrypt their stored cookies, but they decrypt them on request for any process running with sufficient permissions on the device. An infostealer running on an infected machine can request that decryption in the same way a legitimate application would, and the browser obliges. The design assumption that any installed running application can be trusted is precisely the vulnerability that infostealers exploit.
The stolen cookies, including active session tokens for email platforms, corporate SaaS tools, cloud consoles, and financial services, are packaged into an infostealer log. These logs are compressed and uploaded to attacker-controlled servers, often within minutes of the infection completing. From there, they are sold on dark web marketplaces or Telegram channels, frequently within hours.
Cybercheck’s analysts have documented this directly. A closer examination of infostealer logs shows that the cookie folders within a single log can contain active session credentials for dozens of services simultaneously, including Google, Microsoft, and financial platforms, all extracted from one infected device in minutes.
This is not a niche capability. According to Verizon’s 2025 Data Breach Investigations Report, the use of stolen credentials remains one of the most prevalent techniques across confirmed breaches, and infostealer-sourced data is a growing proportion of that supply.
Why MFA doesn’t stop session hijacking
The logical gap is straightforward. MFA is a control on the authentication event, the moment a user proves their identity. Once authentication succeeds, the session token is issued, and MFA has done its job. It has no further role in the session.
An attacker with a stolen session token never triggers the authentication event. They inject the token directly into their browser using developer tools or browser extensions. The server receives the token, validates it, and responds as if the legitimate user was present. No password prompt. No MFA challenge.
This is what makes session token theft particularly dangerous in organizations that have invested heavily in MFA compliance. Saving passwords in browsers is a well-understood risk, and many security policies address it. Session tokens attract far less attention, despite representing a direct path into post-authentication environments where MFA offers no protection.
Microsoft has documented this technique at scale in adversary-in-the-middle phishing campaigns, where tokens are intercepted in transit rather than extracted from the device. Infostealers take a different route, direct local extraction, but the outcome is identical: a valid, authenticated session transferred to an attacker who never touched the login page.
Real-world impact: What attackers do with stolen sessions
A stolen session token is not simply a login credential. Depending on the service, it represents persistent, authenticated access to everything the session covers.
Common downstream attacks include:
- SaaS account takeover: Attackers use stolen tokens to access corporate Microsoft 365, Google Workspace, or Salesforce environments, reading emails, exfiltrating contacts, and searching for sensitive documents or financial instructions.
- Lateral movement: A session to one cloud service often provides access to integrations and connected applications. An attacker inside an email account can reset passwords for other services, progressively extending their reach across the environment.
- Silent monitoring: Rather than taking immediate visible action, some attackers maintain access quietly, monitoring communications for payment details, credential resets, or internal announcements useful for fraud.
- Business email compromise (BEC): Access to an executive’s email session is sufficient to redirect payment instructions or impersonate the executive internally, even if their account has MFA active and their password has never been exposed.
The confidence organizations place in MFA can actually slow detection in these cases. When a session appears legitimate, because it carries a valid token, it attracts less scrutiny from security monitoring. Account takeover via stolen sessions may go unnoticed for days or weeks, during which the attacker has continuous, authenticated access.
How Cybercheck helps
Cyber threat intelligence solutions such as Cybercheck provide an early warning system. Our analysts infiltrate and monitor the criminal platforms, forums, and channels where infostealer logs are exchanged.
If a device belonging to anyone in your organization is infected by an infostealer, the malware can harvest session cookies along with passwords and other personal information. Cybercheck shows you when a monitored account has been compromised in this way, and whether cookies were stolen, so you know whether the threat extends beyond a leaked password.
