The Rise of Identity-Based Attacks: From Password Spray to Pass-the-Cookie

Identity is the new perimeter. Australian organisations increasingly face sophisticated credential attacks—password spray, credential stuffing and “pass-the-cookie” session hijacking. Awareness of these evolving tactics is crucial for prioritising defensive strategies.

Password Spray and Credential Stuffing

Attackers test common passwords (e.g. “Password123!”) across many accounts (spray), or use leaked credentials from other breaches (stuffing). Defences include lockout policies, risk-based authentication and monitoring Impossible Travel sign-ins. Training should highlight that lockouts can be bypassed by distributed attacks unless mitigated by adaptive risk policies.

Pass-the-Cookie and Session Hijacking

Rather than stealing passwords, threat actors hijack valid sessions by extracting session cookies from compromised browsers or malicious extensions. Because the attacker inherits a legitimate token, MFA and password resets may not trigger. Teams need to raise awareness of browser hygiene: uninstall untrusted add-ons, clear cookies regularly, and use browser isolation where possible.

Monitoring and Threat Detection

Feed anomalous sign-in patterns—location jumps, unusual device IDs—into Sentinel. Use custom detection rules to flag atypical POST requests to authentication endpoints. Awareness guides for SOC teams should emphasise correlating sign-in logs with cookie theft indicators, such as sudden spikes in GET requests after successful logins.

Session Management Best Practices

While not a step-by-step guide, promote visibility of session controls: shortening cookie lifetimes, requiring re­authentication for high-value operations, and providing users visibility into active sessions via https://myaccount.microsoft.com. Awareness communications can nudge users to sign out of unused sessions, reducing token theft windows.