The rise of identity-based attacks: from password spray to pass-the-cookie
Identity is the new perimeter. Australian organisations increasingly face sophisticated credential attacks: password spray, credential stuffing and "pass-the-cookie" session hijacking. Knowing how these tactics work is the first step to prioritising the defences that actually stop them.
Password spray and credential stuffing
Attackers test a few common passwords (think "Password123!") across many accounts, that is spray, or replay credentials leaked in other breaches, that is stuffing. Lockout policies alone do not cut it, because distributed attacks sidestep them. The real defences are risk-based authentication, monitoring for impossible-travel sign-ins, and removing reused passwords entirely (a job for 1Password and SSO). Microsoft Entra ID Protection flags the risky sign-ins before they succeed.
Pass-the-cookie and session hijacking
Rather than stealing passwords, threat actors hijack valid sessions by extracting session cookies from a compromised browser or a malicious extension. Because the attacker inherits a legitimate token, MFA and password resets may not even trigger. The countermeasures are browser hygiene (uninstall untrusted add-ons, clear cookies, use isolation where possible), shorter token lifetimes, and device-compliance checks in Conditional Access so a stolen cookie from an unmanaged device is useless.
Monitoring and threat detection
Feed anomalous sign-in patterns, location jumps, unusual device IDs, into Microsoft Sentinel, and write detections for atypical requests to authentication endpoints. The signal that matters is correlation: a sudden change in behaviour right after a successful login is the fingerprint of cookie theft. This is exactly where CrowdStrike Identity Protection earns its place, extending detection to the on-prem and Windows logon paths Entra alone cannot see.
Session-management hygiene
Shorten cookie lifetimes, require re-authentication for high-value operations, and give users visibility into their own active sessions through the Microsoft account portal. A simple nudge to sign out of unused sessions shrinks the window for token theft.
This is the core of our Identity & Access Management and Zero Trust work, using Entra Conditional Access, 1Password and CrowdStrike Identity Protection together. A cyber health check shows how exposed your identities are today.