A specialized Beacon Object File (BOF) designed to extract authentication cookies from Microsoft Teams without disrupting the application.
This development builds on recent findings that expose how Teams stores sensitive access tokens, potentially allowing attackers to impersonate users and access chats, emails, and documents.
The tool, released by Tier Zero Security, adapts an existing browser exploitation technique to bypass Teams’ file-locking mechanisms, raising fresh concerns about endpoint security in enterprise environments.
The innovation stems from a detailed analysis of Teams’ authentication process. As outlined in a recent research post by RandoriSec, Microsoft Teams embeds a browser window using the msedgewebview2.exe process, a Chromium-based component that handles login via Microsoft’s online services.
During authentication, this process writes cookies to a SQLite database in a manner similar to traditional web browsers.
These cookies contain access tokens that grant entry to Teams conversations, Skype features, and even the Microsoft Graph API for broader Office 365 interactions.
However, modern Chromium browsers have bolstered their defenses. They now protect encryption keys through a COM-based IElevator service that runs with SYSTEM privileges, verifying the caller’s legitimacy by checking the executable’s secure installation path.
This setup demands either execution within the browser process or elevated administrator access to decrypt cookie values.
In contrast, Teams relies on the simpler Data Protection API (DPAPI) tied to the current user’s master key, making its cookies comparatively easier to target once the encryption key is obtained.
Overcoming File Locks With Process Injection
A key hurdle in the original research was Teams’ runtime behavior: the application locks its Cookies database file while running, even in the background, preventing direct reads or copies.
Killing the MS-Teams.exe process, as suggested in the post, would alert users and trigger security monitoring.
To address this, the researchers drew inspiration from the Cookie-Monster-BOF, an open-source tool that extracts cookies from live browser processes by duplicating file handles and invoking the IElevator service.
The new Teams-Cookies-BOF repurposes this logic for the messaging app. Instead of terminating Teams, it runs directly within the ms-teams.exe process, potentially via DLL or COM hijacking, to identify child webview processes holding open handles to the Cookies file.
It duplicates these handles, reads the file contents on the fly, and decrypts the values using the user’s DPAPI master key. This approach ensures stealth, as the tool mimics legitimate process activity without file system disruptions.
Notably, the BOF’s flexibility extends beyond Teams injection. It can execute in any process sharing the same user privileges, querying webview children across the system to download relevant cookies.
While this broadens its applicability, it also introduces detectable indicators, such as unusual handle operations on unrelated processes.
For demonstration, the researchers shared a Gist script that achieves similar results from a neutral context, though it risks pulling non-Teams cookies as collateral.
Implications For Red Teamers And Defenders
The decryption mechanism mirrors Cookie-Monster-BOF exactly, employing AES-256-GCM after extracting the nonce and encrypted payload from the “v10”-tagged values in the database.
Once obtained, the tokens enable API calls to fetch conversation histories, read messages, or send phishing content on behalf of victims, escalating risks in lateral movement or social engineering campaigns.
Tier Zero Security has made the BOF publicly available on GitHub, compatible with any C2 framework supporting Beacon payloads, and it requires no arguments for basic use.
This release underscores a persistent gap in Teams’ security model compared to hardened browsers. Organizations should prioritize behavioral monitoring for process injection, enforce least-privilege execution, and consider endpoint detection rules targeting DPAPI accesses or webview handle manipulations.
As hybrid work relies heavily on Teams, such vulnerabilities highlight the need for ongoing scrutiny of embedded browser components in productivity apps.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
