EXECUTIVE SUMMARY
A new BOF (Beacon Object File) tool exploits weak cookie encryption in Microsoft Teams to steal user tokens and chats. It abuses MS Teams’ reliance on the user’s DPAPI key instead of stronger browser protections. This enables stealthy account impersonation without admin access.
- Active Region: Global
- Affected Sector: General
- Affected Product: Microsoft Teams (Weak Cookie Encryption in Microsoft Teams)
- Severity: High
- Published Date: November 3, 2025
TECHNICAL DETAILS
Stealthy in-process BOF attack commonly referenced as teams-cookies-bof that duplicates Teams/WebView2 cookie handles, decrypts DPAPI-protected cookies, and steals tokens to read/send chats and access Microsoft Graph.
- Target: Local token/cookie theft via in-process handle duplication and process injection (BOF/DLL or COM hijack) enables credential misuse and impersonation.
- Root Cause: Teams protects cookies with the current user’s DPAPI master key (user-level protection) rather than a SYSTEM-level service like modern Chromium browsers,…..
