A new technique allows hackers to extract encrypted authentication tokens from Microsoft Teams on Windows, enabling unauthorized access to chats, emails, and SharePoint files.
In a blog post dated October 23, 2025, Brahim El Fikhi explains how these tokens, stored in a Chromium-like Cookies database, can be decrypted using Windows’ Data Protection API (DPAPI).
This method bypasses recent security hardening, posing risks for lateral movement and data exfiltration in enterprise environments.
These access tokens grant impersonation capabilities, such as sending Teams messages or emails on behalf of victims, which attackers can exploit for social engineering or persistence.
El Fikhi’s focus on desktop Office apps, especially Teams, highlights vulnerabilities in embedded browser components that handle authentication via login.microsoftonline.com. Microsoft’s ecosystem remains a prime target, with recent disruptions noted in threats against Teams as of early October 2025.
Early Microsoft Teams versions stored auth cookies in plaintext within the SQLite file at %AppData%LocalMicrosoftTeamsCookies, a flaw exposed by Vectra AI in 2022 that allowed simple file reads to harvest tokens for Graph API abuse, bypassing MFA.
Updates eliminated this plaintext storage, adopting encrypted formats aligned with Chromium’s cookie protection to prevent disk-based theft.
However, the shift introduces new attack vectors. Tokens now use AES-256-GCM encryption protected by DPAPI, a Windows API that ties keys to user or machine contexts for data isolation.
This relies on the user’s login credentials, making decryption feasible with local access but challenging remotely without privilege escalation. Similar protections in browsers like Chrome have been cracked via key extraction, a pattern echoed in Teams’ msedgewebview2.exe process.
Microsoft Teams Access Tokens Exfiltrated
To pinpoint token locations, researchers employed ProcMon from SysInternals, filtering for WriteFile operations on msedgewebview2.exe the embedded Edge WebView2 browser spawned by ms-teams.exe during login.
This process writes to the Cookies database, unlike the main executable, which avoids sensitive file I/O beyond logs.
The SQLite Cookies table holds critical entries: host_key (e.g., teams.microsoft.com), name (cookie identifier), and encrypted_value prefixed with “v10” (0x76 0x31 0x30), indicating Chromium’s version 10 encryption.
The schema parses as: 3-byte tag, 12-byte nonce (initialization vector), and the AES-encrypted payload. The master key is in %AppData%LocalPackagesMSTeams_8wekyb3d8bbweLocalCacheMicrosoftMSTeamsEBWebViewLocal State, a JSON file under os_crypt.encrypted_key—a Base64 string starting with “DPAPI” after decoding, protected by user-specific DPAPI blobs in %AppData%MicrosoftProtect.
Extract and DPAPI-unprotect the key using Windows APIs like CryptUnprotectData, which requires the attacker’s context to match the user’s (e.g., via mimikatz for credential dumping).
Then, apply AES-256-GCM with the key and nonce to the payload, yielding the auth token. El Fikhi’s Rust PoC automates this, dumping tokens post-teams.exe termination to unlock the file, a standard limitation, as the process holds an exclusive lock. Python equivalents, like those for Chrome, demonstrate similar logic:
This code, adapted from browser forensics, directly applies to Teams. A GitHub PoC (teams_dump) lists and decrypts the database, outputting JSON with hosts like teams.microsoft.com and cookies like MUIDB or TSREGIONCOOKIE.
Mitigations
Tools like GraphSpy ingest the token for scoped abuse reading SharePoint or emails, limited to Teams permissions (e.g., Chat.ReadWrite, Mail.Send). Microsoft’s Primary Refresh Token (PRT) ties into this, enabling seamless SSO but amplifying token reuse risks across apps.
Mitigations include monitoring for ms-teams.exe kills or unusual ProcMon patterns, enforcing app-bound encryption, and preferring web-based Teams to avoid local storage.
Rotate tokens via Entra ID policies and audit API logs for anomalies. As Teams threats evolve, DPAPI-aware EDR rules are essential.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
