Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search
UtiliaCS 320x100
Crowdstriker 970×120
Hackers can access Microsoft Teams chats and emails using access tokens

Hackers can access Microsoft Teams chats and emails using access tokens

Redazione RHC : 24 October 2025 08:02

A recent discovery has revealed that hackers can exploit a flaw in Microsoft Teams on Windows to obtain encrypted authentication tokens , which grant unauthorized access to chats, emails, and files stored on SharePoint. Brahim El Fikhi detailed this vulnerability in a blog post published on October 23, 2025, highlighting how the tokens, stored within a Chromium-inspired cookie database, are vulnerable to decryption using the Data Protection API (DPAPI) provided by Windows.

Access tokens give attackers the ability to impersonate users, such as sending Teams messages or emails in the victims’ names , to perform social engineering attacks or maintain persistence . These methods circumvent recent security enhancements, putting enterprise environments at risk through potential lateral movement and subsequent data exfiltration.

El Fikhi’s focus on Office desktop applications, particularly Teams, reveals vulnerabilities in embedded browser components responsible for managing authentication via login.microsoftonline.com. A recent analysis indicates that the Microsoft ecosystem remains a prime target, given its widespread use within enterprises.

Early versions of Microsoft Teams stored authentication cookies in plain text within the SQLite file at %AppData%LocalMicrosoftTeamsCookies, a flaw discovered by Vectra AI in 2022 that allowed simple file reads to harvest tokens for Graph API abuse, bypassing MFA.

The updates eliminated this type of plaintext storage, adopting encrypted formats aligned with Chromium’s cookie protection to prevent on-disk theft. However, this change introduces new attack vectors. Tokens now use AES-256-GCM encryption protected by DPAPI , a Windows API that ties keys to user or machine contexts for data isolation.

To counteract threats, measures are in place that include monitoring for abnormal terminations of ms-teams.exe or unusual ProcMon patterns.

Additionally, it’s recommended to use web-based teams to limit local storage . Token rotation via Entra ID policies and monitoring API logs for irregularities are additional crucial steps.

As Teams threats evolve, EDR rules that rely on DPAPI become critically important.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli