{"id":8136,"date":"2025-11-03T10:03:27","date_gmt":"2025-11-03T10:03:27","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/03\/new-bof-tool-exploits-microsoft-teams-cookie-encryption-allowing-attackers-to-access-user-chats\/"},"modified":"2025-11-03T10:03:27","modified_gmt":"2025-11-03T10:03:27","slug":"new-bof-tool-exploits-microsoft-teams-cookie-encryption-allowing-attackers-to-access-user-chats","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/03\/new-bof-tool-exploits-microsoft-teams-cookie-encryption-allowing-attackers-to-access-user-chats\/","title":{"rendered":"New BOF Tool Exploits Microsoft Teams\u2019 Cookie Encryption Allowing Attackers to Access User Chats"},"content":{"rendered":"

New BOF Tool Exploits Microsoft Teams\u2019 Cookie Encryption Allowing Attackers to Access User Chats
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A specialized Beacon Object File (BOF) designed to extract authentication cookies from Microsoft Teams without disrupting the application.<\/p>\n

This development builds on recent findings that expose how Teams stores sensitive access tokens, potentially allowing attackers to impersonate users and access chats, emails, and documents. <\/p>\n

The tool, released by Tier Zero Security, adapts an existing browser exploitation technique to bypass Teams\u2019 file-locking mechanisms, raising fresh concerns about endpoint security in enterprise environments.<\/p>\n

The innovation stems from a detailed analysis of Teams\u2019 authentication process. As outlined in a recent research post<\/a> by RandoriSec, Microsoft Teams embeds a browser window using the msedgewebview2.exe process, a Chromium-based component that handles login via Microsoft\u2019s online services.<\/p>\n

During authentication<\/a>, this process writes cookies to a SQLite database in a manner similar to traditional web browsers.<\/p>\n

These cookies contain access tokens that grant entry to Teams conversations, Skype features, and even the Microsoft Graph API for broader Office 365 interactions.<\/p>\n

However, modern Chromium browsers<\/a> have bolstered their defenses. They now protect encryption keys through a COM-based IElevator service that runs with SYSTEM privileges, verifying the caller\u2019s legitimacy by checking the executable\u2019s secure installation path.<\/p>\n

This setup demands either execution within the browser process or elevated administrator access to decrypt cookie values. <\/p>\n

In contrast, Teams relies on the simpler Data Protection API (DPAPI) tied to the current user\u2019s master key, making its cookies comparatively easier to target once the encryption key is obtained.<\/p>\n

Overcoming File Locks With Process Injection<\/strong><\/h2>\n

A key hurdle in the original research was Teams\u2019 runtime behavior: the application locks its Cookies database file while running, even in the background, preventing direct reads or copies. <\/p>\n

Killing the MS-Teams.exe process, as suggested in the post, would alert users and trigger security monitoring.<\/p>\n

To address this, the researchers drew inspiration<\/a> from the Cookie-Monster-BOF, an open-source tool that extracts cookies from live browser processes by duplicating file handles and invoking the IElevator service.<\/p>\n

The new Teams-Cookies-BOF repurposes this logic for the messaging app. Instead of terminating Teams, it runs directly within the ms-teams.exe process, potentially via DLL or COM hijacking, to identify child webview processes holding open handles to the Cookies file.<\/p>\n

\n
\n