Brinztech Alert: Teams Token Theft Bypasses MFA; Steals Email & Files via DPAPI Attack

Vulnerability Analysis

A new post-exploitation technique, demonstrates how threat actors with local access to a victim’s Windows machine can systematically extract and decrypt authentication tokens for Microsoft Teams. This attack successfully bypasses recent security hardening introduced after the 2022 Vectra AI disclosure of plaintext token storage, granting attackers powerful impersonation capabilities.

The attack targets encrypted tokens stored in a Chromium-like Cookies database used by Teams’ embedded msedgewebview2.exe browser component (%AppData%\Local\Microsoft\Teams\Cookies). While Microsoft previously moved from storing these tokens in plaintext to an encrypted format (AES-256-GCM), this new method proves the encryption is reversible with user-level access.

The core of the attack relies on the fact that the master encryption key, stored in the Local State JSON file (%AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Local State), is itself encrypted using the Windows Data Protection API (DPAPI). An attacker who has compromised a user’s account (e.g., via malware) can run in that user’s context to call the CryptUnprotectData API, decrypt the master key, and then use it to decrypt the authentication tokens from the Cookies database.

Key Cybersecurity Insights

This technique represents a significant risk for enterprise environments, allowing attackers to escalate a standard endpoint compromise into a full M365 account takeover.

1. Post-Exploitation Goldmine (MFA Bypass): This is not an initial access vector but a post-exploitation technique. After gaining local access to a device (e.g., via a phishing email delivering malware), the attacker can steal these tokens. Because a valid token is a “bearer” token, it functions as a “session cookie” and inherently bypasses Multi-Factor Authentication (MFA) and other login-time controls for that session.
2. The DPAPI Attack Chain: The attack is systematic and can be automated:
   • Gain Access: Attacker achieves local, user-level execution on the victim’s machine.
   • Find Key: Attacker locates the Local State file.
   • Decrypt Key: The os_crypt.encrypted_key (a DPAPI-protected blob) is extracted and decrypted using the Windows CryptUnprotectData API within the user’s context.
   • Find Tokens: Attacker kills the ms-teams.exe process to unlock the Cookies database.
   • Decrypt Tokens: The attacker reads the encrypted_value (prefixed with v10), extracts the 12-byte nonce, and uses the decrypted master key to perform AES-256-GCM decryption, revealing the plaintext token.
3. Broad Ecosystem Risk (Beyond Teams): A stolen token is often not limited to just Teams functionality. As noted, tools like GraphSpy can ingest these tokens to interact with the Microsoft Graph API. Depending on the token’s permissions (e.g., Chat.ReadWrite, Mail.Send, User.Read, Files.ReadWrite.All), the attacker can potentially send emails on the victim’s behalf, read private chats, and exfiltrate sensitive files from SharePoint and OneDrive, enabling deeper lateral movement, persistence, and social engineering.
4. Automation & Tooling: Proof-of-concept (PoC) scripts in Rust (teams_dump) and Python adaptations are available, demonstrating that this entire process can be automated. This lowers the barrier for attackers to adopt this technique into their post-exploitation toolkits (e.g., integrated into infostealers or executed via C2 frameworks).
5. Ineffectiveness of Simple Encryption: This technique bypasses Microsoft’s previous fix (encrypting the plaintext cookies identified in 2022). It highlights that simply encrypting data on disk is insufficient if the keys (or the key-encrypting-key protected by DPAPI) are also accessible locally within the same user context.

Mitigation Strategies

Defending against this token theft requires a layered, defense-in-depth approach, assuming a user’s endpoint may eventually be compromised.

1. Endpoint Detection & Response (EDR): This is the primary defense layer for detecting post-exploitation activity. Configure EDR and SIEM solutions to generate high-priority alerts for:
   • Suspicious Process Termination: Alert on unexpected or programmatic termination of ms-teams.exe or msedgewebview2.exe by non-standard processes.
   • DPAPI-Aware Monitoring: Flag anomalous processes calling the CryptUnprotectData API, especially if those processes also access Teams-related file paths (Local State, Cookies database). Correlate this with known malicious tools (e.g., Mimikatz modules).
   • Suspicious File Access: Monitor for non-Teams processes (e.g., powershell.exe, cmd.exe, downloaded binaries) reading the Local State or Cookies files from Teams-related AppData directories.
2. Identity & Access Management (IAM): Focus on limiting the lifespan and usability of stolen tokens.
   • Token Lifecycle Management: Utilize Entra ID (formerly Azure AD) Conditional Access policies to enforce shorter session token lifetimes for desktop applications, reducing the window of opportunity for a stolen token to be abused.
   • Strict Conditional Access Policies: Implement Conditional Access policies that enforce location-based access (block logins from unexpected countries/IPs) or require compliant/hybrid-joined devices. This can render a token stolen from one device unusable on another.
   • API Log Auditing: Actively monitor Microsoft Graph API logs and Entra ID sign-in logs for anomalous activity, such as a token being used from an IP address or region inconsistent with the user’s known locations or exhibiting unusual API call patterns.
3. User-Level & Architectural Mitigation:
   • Use Web-Based Teams: For high-risk users (admins, executives) or those handling highly sensitive data, consider recommending or enforcing the use of the web-based Teams client (teams.microsoft.com). This stores tokens within the browser’s more sandboxed environment, which typically employs different protection mechanisms less reliant on easily accessible DPAPI keys.
4. Prevent Initial Compromise (Foundation):
   • Standard Endpoint Hygiene: Maintain robust endpoint security basics: timely OS and application patching, strong anti-malware/EDR, user training against phishing, and principle of least privilege for user accounts to prevent the initial compromise that enables this technique.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? This analysis is based on publicly available threat intelligence. Brinztech provides cybersecurity services worldwide and does not endorse or guarantee the accuracy of external claims. For any inquiries or to report this post, please email: contact@brinztech.com