Security researchers have discovered a sophisticated method that allows attackers to steal access tokens from Microsoft Teams, potentially granting unauthorized access to sensitive corporate communications, emails, and SharePoint documents.
The attack vector represents a significant security risk for organizations relying on Microsoft’s productivity suite, as stolen tokens can be weaponized for lateral movement within company networks and social engineering attacks.
Attackers who gain initial access to a victim’s computer can extract authentication tokens stored by Microsoft Teams on the disk.
These tokens serve as digital keys to Microsoft’s services, allowing attackers to impersonate users without needing their passwords.
Once obtained, the tokens enable threat actors to read Teams conversations, access emails, browse shared documents, and send messages impersonating the legitimate user.
This capability opens doors for sophisticated post-exploitation activities that can spread throughout an organization.
The attack exploits how Microsoft Teams stores encrypted authentication data. Security researchers discovered that during the authentication process, Microsoft Teams spawns a child process using an embedded Chromium-based browser engine called msedgewebview2.exe.
This browser component writes encrypted cookies to a database file located in the user’s AppData directory.
The encryption mechanism relies on DPAPI (Data Protection API), a Windows security feature that encrypts sensitive data using machine-specific keys.
Attackers can bypass this encryption by locating the encryption key stored in a JSON configuration file within the Teams local cache.
By extracting this key and the encrypted cookie value, they can decrypt the authentication tokens using AES-256-GCM encryption.
Researchers successfully developed a proof-of-concept tool in Rust that automates this entire extraction process, demonstrating the practical feasibility of the attack.
Once attackers obtain Teams access tokens, they can interact with the Microsoft Graph API to perform various malicious activities.
They can retrieve Teams conversations, read and send messages, and access emails all within the context of the compromised user account.
Security researchers even demonstrated how stolen tokens can be loaded into post-exploitation tools like GraphSpy, which facilitates unauthorised interaction with Microsoft Graph API endpoints without requiring additional authentication.
The implications extend beyond simple data theft. Attackers can use compromised accounts to send phishing messages to colleagues, establish persistence within the network, and conduct social engineering attacks with enhanced credibility.
Since the malicious activities appear to originate from a trusted internal account, detection becomes significantly more difficult.
Organizations should implement endpoint detection and response (EDR) solutions capable of monitoring access to Teams configuration files and encryption keys.
Security teams should also enforce strict access controls, monitor for suspicious Teams API activity, and educate users about protecting their devices from initial compromise.
Additionally, Microsoft Teams users should ensure their systems receive regular security updates and run contemporary antivirus solutions to prevent the initial access required for this attack.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
