A recent discovery has revealed that hackers can exploit a flaw in Microsoft Teams on Windows to obtain encrypted authentication tokens , which grant unauthorized access to chats, emails, and files stored on SharePoint. Brahim El Fikhi detailed this vulnerability in a blog post published on October 23, 2025, highlighting how the tokens, stored within a Chromium-inspired cookie database, are vulnerable to decryption using the Data Protection API (DPAPI) provided by Windows.
Access tokens give attackers the ability to impersonate users, such as sending Teams messages or emails in the victims’ names , to perform social engineering attacks or maintain persistence . These methods circumvent recent security enhancements, putting enterprise environments at risk through potential lateral movement and subsequent data exfiltration.
El Fikhi’s focus on Office desktop applications, particularly Teams, reveals vulnerabilities in embedded browser components responsible for managing authentication via login.microsoftonline.com. A recent analysis indicates that the Microsoft ecosystem remains a prime target, given its widespread use within enterprises.
Early versions of Microsoft Teams stored authentication cookies in plain text within the SQLite file at %AppData%LocalMicrosoftTeamsCookies, a flaw discovered by Vectra AI in 2022 that allowed simple file reads to harvest tokens for Graph API abuse, bypassing MFA.
The updates eliminated this type of plaintext storage, adopting encrypted formats aligned with Chromium’s cookie protection to prevent on-disk theft. However, this change introduces new attack vectors. Tokens now use AES-256-GCM encryption protected by DPAPI , a Windows API that ties keys to user or machine contexts for data isolation.
To counteract threats, measures are in place that include monitoring for abnormal terminations of ms-teams.exe or unusual ProcMon patterns.
Additionally, it’s recommended to use web-based teams to limit local storage . Token rotation via Entra ID policies and monitoring API logs for irregularities are additional crucial steps.
As Teams threats evolve, EDR rules that rely on DPAPI become critically important.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
