Prevent Session Hijacking with Identity Intelligence

Session cookies are stolen through two distinct attack paths that produce the same outcome. In the infostealer path, malware infects a user’s device and extracts every session cookie stored in the browser across all applications the user was logged into. No interaction is required — the theft is silent, the user has no indication it occurred, and the stolen cookies begin circulating in criminal markets within hours. In the adversary-in-the-middle (AitM) phishing path, no malware is involved. The attacker operates a phishing proxy that stands between the user and the legitimate login page, relaying the authentication in real time. MFA completes successfully from the user’s perspective. When the legitimate server issues the session cookie back, the attacker’s proxy intercepts it before it reaches the user’s browser. In both cases, the attacker ends up holding a valid, already-authenticated session cookie. They never touched a password or a MFA code. They replay the cookie inside an anti-detect browser, which mimics the victim’s trusted device fingerprint, and the application sees a legitimate authenticated session. In 2025, SpyCloud recaptured 8.6 billion stolen session cookies from criminal sources. MFA and passkeys both prevent unauthorized logins — but neither controls what happens to the authentication artifacts produced by a successful login.

Revoking the session cookie closes access in that moment, but in most enterprise and consumer application environments, a second artifact was also stolen: the refresh token. A refresh token is the long-lived credential an identity provider uses to silently issue new session cookies without requiring the user to re-authenticate. In enterprise environments with Microsoft Entra ID or Okta, refresh tokens typically remain valid for 90 days by default. An attacker who holds a stolen refresh token can continue minting new session cookies silently for months, even after the original cookie is revoked and even after the user resets their password. Password resets do not invalidate refresh tokens in most default configurations. The attacker is simply re-authenticated each time their current session expires, with no login event, no MFA prompt, and no behavioral signal. Full remediation of a session compromise requires revoking both the session cookie and the refresh token. For SSO environments, it also requires terminating the IdP-level session — because that session cascades access to every downstream application in the SSO instance. SpyCloud detects the exfiltration of both session cookies and refresh tokens from criminal sources, providing the signal security teams need to trigger the correct, complete remediation action.

No. Passkeys and passwordless authentication eliminate the password as a stolen artifact, which removes one attack surface. But after any authentication event succeeds — whether the user authenticated with a password, a passkey, a biometric, or a hardware key — the application still issues a session cookie and, in OAuth/OIDC and SSO environments, a refresh token. AitM phishing attacks are designed specifically to steal these post-authentication artifacts. The attack proxies the authentication event, lets it complete normally, and intercepts the session cookie and refresh token on the way out. The user authenticated successfully with their passkey. The attacker holds the result of that authentication. Passwordless environments have the same session-layer exposure as password-based ones — the attack surface shifts from credential theft to token theft. For organizations migrating to passwordless or passkey-based authentication, session-layer visibility is more important during the transition period, not less, because the false sense of security from removing passwords can reduce attention to the post-authentication threat surface that remains fully exposed.

SpyCloud works through three remediation layers in priority order based on the environment and the artifacts detected. The first priority is refresh token revocation. Refresh tokens are the master key — they’re valid for up to 90 days and survive password resets. SpyCloud targets this first, automatically signaling the identity provider to revoke the token as soon as the exposure is confirmed. The second layer is IdP SSO session termination. For enterprise environments federated through Okta, Entra ID, or Ping Identity, SpyCloud signals the identity provider to terminate the IdP-level session, which cascades automatically to every downstream application in that SSO instance. The third layer is application-level session cookie invalidation. Individual applications manage their own session cookies, and the IdP cannot always reach in to revoke them directly. SpyCloud handles this through forced re-authentication — the next time the attacker attempts to use the stolen cookie, they hit a login wall. For consumer applications, the same principle applies: SpyCloud delivers the compromised cookie record via API so the application can invalidate the session and require the user to re-authenticate. Refresh token and SSO session revocation happen immediately and automatically. Application-level sessions are cut off at the next access attempt.

Traditional session management and fraud detection tools operate on behavioral signals — they look for anomalous access patterns, unusual device characteristics, or suspicious transaction sequences after authentication has already succeeded. SpyCloud operates upstream of behavior. It recaptures stolen session cookies, refresh tokens, and authentication artifacts directly from criminal sources — infostealer malware logs, AitM phishing operation output, and underground markets where stolen credentials and session data are distributed. This data typically arrives at SpyCloud within hours of the original theft, before attackers have had an opportunity to act on it. The gap between when a cookie is stolen and when it first appears in criminal markets is the window in which SpyCloud can surface the exposure and enable remediation. For consumer deployments, SpyCloud’s continuously updated feed of compromised session cookies can be queried against application domains, allowing security and fraud teams to identify and invalidate compromised sessions on a rolling basis. For enterprise deployments, SpyCloud integrates with Okta Workforce Guardian and Active Directory Guardian to trigger automated session termination as soon as a match is detected in recaptured criminal data, reducing the window between theft and remediation to minutes.