New Bof Tool Exploits Microsoft Teams’ Cookie Encryption Allow...
This development builds on recent findings that expose how Teams stores sensitive access tokens, potentially allowing attackers to impersonate users and access chats, emails, and documents.
The tool, released by Tier Zero Security, adapts an existing browser exploitation technique to bypass Teams’ file-locking mechanisms, raising fresh concerns about endpoint security in enterprise environments.
The innovation stems from a detailed analysis of Teams’ authentication process. As outlined in a recent research post by RandoriSec, Microsoft Teams embeds a browser window using the msedgewebview2.exe process, a Chromium-based component that handles login via Microsoft’s online services.
However, modern Chromium browsers have bolstered their defenses. They now protect encryption keys through a COM-based IElevator service that runs with SYSTEM privileges, verifying the caller’s legitimacy by checking the executable’s secure installation path.
Killing the MS-Teams.exe process, as suggested in the post, would alert users and trigger security monitoring.
It duplicates these handles, reads the file contents on the fly, and decrypts the values using the user’s DPAPI master key. This approach ensures stealth, as the tool mimics legitimate process activity without file system disruptions.
While this broadens its applicability, it also introduces detectable indicators, such as unusual handle operations on unrelated processes.
Once obtained, the tokens enable API calls to fetch conversation histories, read messages, or send phishing content on behalf of victims, escalating risks in lateral movement or social engineering campaigns.
Tier Zero Security has made the BOF publicly available on GitHub, compatible with any C2 framework supporting Beacon payloads, and it requires no arguments for basic use.
This release underscores a persistent gap in Teams’ security model compared to hardened browsers. Organizations should prioritize behavioral monitoring for process injection, enforce least-privilege execution, and consider endpoint detection rules targeting DPAPI accesses or webview handle manipulations.
Source: Cybersecurity News
