Access Token Theft Lets Hackers Read Teams Chats and Emails

A critical vulnerability in how Microsoft Teams stores authentication data has exposed organizations to a dangerous new attack.

Security researchers have discovered that attackers can steal access tokens from Teams installations, essentially giving them digital keys to read private conversations, emails, and confidential documents without needing user passwords.

The attack is particularly concerning because once an attacker gains initial access to an employee’s computer, they can extract authentication tokens that Teams has already stored on disk.

These tokens act like permanent passes to Microsoft’s services, allowing attackers to impersonate legitimate users and access their entire digital workspace.

How Attackers Steal the Digital Keys

The attack works by targeting how Microsoft Teams encrypts its authentication data.

When you log into Teams, the application uses a built-in Chromium-based browser component called msedgewebview2.exe that writes encrypted cookies to a database file in your computer’s AppData folder.

Here’s where the problem lies: while Teams encrypts these cookies using DPAPI, a Windows security feature, the encryption key itself is stored in plain text within Teams’ local cache files.

Researchers discovered that attackers can find this key, extract the encrypted cookie data, and decrypt everything using standard encryption techniques.

Security experts even created an automated tool in the Rust programming language that performs this entire extraction process.

Once attackers have a stolen access token, they can do far more than just read messages.

They can interact directly with Microsoft’s Graph API, giving them the ability to retrieve Teams conversations, read and send emails, browse shared documents on SharePoint, and send messages while appearing to be the legitimate user.

This creates serious consequences for organizations.

Attackers can use compromised accounts to launch phishing campaigns against colleagues, establish persistence within networks, and conduct convincing social engineering attacks that appear to come from trusted internal employees.

Because the malicious activities originate from legitimate user accounts, security teams often struggle to detect the unauthorized activity.

Companies need to act immediately to protect their Teams environments. Implement endpoint detection and response solutions that monitor unusual access to Teams configuration files and encryption keys.

Enforce strict access controls, monitor for suspicious Teams API activity, and educate employees about device security.

For individual users, ensure your Windows system receives all security updates, run current antivirus software, and be careful about what applications you install.

While this vulnerability is concerning, organizations that implement proper security layers can significantly reduce their risk.

Microsoft Teams users should take this discovery seriously, but the good news is that this attack requires initial access to a computer, which gives security teams opportunities to detect and stop attackers before they extract valuable tokens.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

AnuPriya
AnuPriya
Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here