Session Cookie Theft Scams via Email
Phishing emails and malicious attachments delivered via email harvest browser session cookies, enabling attackers to access online accounts without the victim's credentials by replaying the stolen session tokens.
Part of: Session Cookie Theft Scams
Last reviewed: 1 June 2026
Email remains the most common delivery mechanism for malware that steals browser session cookies. A convincing phishing email can direct the victim to a credentialed login page where the act of logging in allows a page script to copy the resulting session cookie, or can deliver an attachment that installs an infostealer to harvest cookies from the local browser.
Session cookie theft via email is particularly dangerous because the victim may believe their account is secure after not responding to a phishing link — unaware that a background infostealer installed from an email attachment has been collecting credentials for days.
How this scam works on Email
A phishing email mimics a legitimate service — an e-commerce site, a document-sharing platform, or a financial service — and directs the recipient to a login page under attacker control. When the user logs in, the page captures the resulting authenticated session cookie and forwards it to the attacker, who replays it to access the account from their own device.
In the malware variant, an email attachment described as an invoice, contract, or notification document installs an infostealer on the victim's device when opened. The infostealer silently extracts all browser cookies — including active session tokens for banking, shopping, and social media sites — and sends them to the attacker.
Some operations use email HTML injection techniques — sending emails that include resources loaded from attacker-controlled servers — to set tracking cookies or gather browser fingerprint data that assists in future credential attacks.
Common red flags
- Email with an attachment claiming to be an invoice, contract, or notification from an unverified sender
- Phishing email directing to a login page where entering credentials triggers unusual browser behaviour
- Unexpected financial or account activity after opening an email attachment from an unfamiliar sender
- Security software alert triggered by an email attachment before or after opening
- Login alert from a service you use for a session originating from an unrecognised location shortly after opening an email
How to protect yourself
- Never open email attachments from senders you cannot independently verify
- Enable multi-factor authentication on all important accounts — session cookies can be stolen but MFA prompts cannot be bypassed simply by replaying a cookie
- Log out of high-value websites (banking, email, crypto) after each session rather than remaining persistently logged in
- Keep email security software and browser extensions updated to detect infostealer delivery attempts
- Use separate browser profiles for financial accounts, keeping session data isolated from general browsing
- Enable email provider security features such as external link and attachment scanning
How to report it
- Report the phishing email to your email provider using their built-in phishing report function
- Forward the email to the impersonated service's abuse or phishing report address
- Report malware delivery to your national cybercrime unit, especially if financial accounts were accessed
Frequently asked questions
How is session cookie theft different from a standard phishing attack?
Standard phishing captures your password. Session cookie theft captures your already-authenticated session, which is valid regardless of your password. Even if you change your password after discovering the theft, the attacker's session token may still be valid until the service explicitly revokes all active sessions. Log out all sessions on affected services immediately.