Cybersecurity researchers at Tier Zero Security have released a specialised Beacon Object File (BOF) tool that exploits a critical weakness in Microsoft Teams cookie encryption, enabling attackers to steal user chat messages and other sensitive communications.
The vulnerability stems from how Microsoft Teams handles cookie encryption compared to modern Chromium-based browsers.
While contemporary browsers like Chrome and Edge invoke a COM-based IElevator service running with SYSTEM privileges to protect encryption keys, Microsoft Teams still relies on the current user’s Data Protection API (DPAPI) master key.
This weaker protection mechanism creates an opportunity for attackers to decrypt cookies without requiring elevated administrator privileges.
Microsoft Teams uses the msedgewebview2.exe process, a Chromium-based component, to display browser content within the application.
Upon authentication, Teams stores cookies in a SQLite database similar to regular browsers.
However, the encryption key protecting these cookies can be accessed through the user’s DPAPI master key, making extraction significantly easier for threat actors operating at user-level privileges.
How the Attack Works
The newly released teams-cookies-bof tool represents a modified version of the existing Cookie-Monster-BOF framework, specifically adapted to target Microsoft Teams.
The attack methodology involves running the BOF within the ms-teams.exe process context, where it searches for the web view child process maintaining an open handle to the cookies file.
The tool then duplicates this handle, reads the file content, and downloads it while simultaneously decrypting the cookie encryption key using the current user’s DPAPI master key.
Researchers discovered that previous Teams cookie theft attempts faced limitations because the cookies file remained locked while the Teams application was running.
The new BOF approach circumvents this obstacle by operating within the process itself through techniques like DLL or COM hijacking, eliminating the need to kill the Teams process entirely.
Once attackers obtain the decrypted cookies, they gain access to authentication tokens that allow interaction with Teams, Skype, and Microsoft Graph APIs.
This access enables threat actors to read existing Teams messages, send new messages impersonating the victim, and potentially access other Microsoft 365 resources within the user’s scope.
The stolen tokens can be leveraged with post-exploitation tools like GraphSpy to expand the attack surface across Microsoft’s ecosystem.
The decryption methodology remains identical to the original Cookie-Monster-BOF tool and supports any Command and Control (C2) framework capable of executing BOF files.
This compatibility makes the technique easily adoptable by various threat actors and red team operators.
Organizations using Microsoft Teams should implement endpoint detection and response solutions capable of monitoring unusual process behavior, handle duplication activities, and unauthorized access attempts to Teams cookie databases.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
