New BOF Tool Exploits Microsoft Teams’ Cookie Encryption, Granting Attackers Access to User Chats
A newly developed Beacon Object File (BOF) tool has emerged, capable of extracting authentication cookies from Microsoft Teams without disrupting the application. This advancement builds upon recent discoveries revealing that Teams stores sensitive access tokens in a manner that could allow attackers to impersonate users and access chats, emails, and documents. The tool, released by Tier Zero Security, adapts existing browser exploitation techniques to circumvent Teams’ file-locking mechanisms, raising fresh concerns about endpoint security in enterprise environments.
Understanding the Vulnerability
Microsoft Teams integrates a browser window using the `msedgewebview2.exe` process, a Chromium-based component that manages login via Microsoft’s online services. During authentication, this process writes cookies to a SQLite database, similar to traditional web browsers. These cookies contain access tokens that grant entry to Teams conversations, Skype features, and even the Microsoft Graph API for broader Office 365 interactions.
Modern Chromium browsers have enhanced their defenses by protecting encryption keys through a COM-based IElevator service that runs with SYSTEM privileges, verifying the caller’s legitimacy by checking the executable’s secure installation path. This setup requires either execution within the browser process or elevated administrator access to decrypt cookie values. In contrast, Teams relies on the simpler Data Protection API (DPAPI) tied to the current user’s master key, making its cookies comparatively easier to target once the encryption key is obtained.
Overcoming File Locks with Process Injection
A significant challenge in exploiting this vulnerability is Teams’ runtime behavior: the application locks its Cookies database file while running, even in the background, preventing direct reads or copies. Terminating the `MS-Teams.exe` process to access the file would alert users and trigger security monitoring.
To address this, researchers drew inspiration from the Cookie-Monster-BOF, an open-source tool that extracts cookies from live browser processes by duplicating file handles and invoking the IElevator service. The new Teams-Cookies-BOF repurposes this logic for the messaging app. Instead of terminating Teams, it runs directly within the `ms-teams.exe` process, potentially via DLL or COM hijacking, to identify child webview processes holding open handles to the Cookies file. It duplicates these handles, reads the file contents on the fly, and decrypts the values using the user’s DPAPI master key. This approach ensures stealth, as the tool mimics legitimate process activity without file system disruptions.
Notably, the BOF’s flexibility extends beyond Teams injection. It can execute in any process sharing the same user privileges, querying webview children across the system to download relevant cookies. While this broadens its applicability, it also introduces detectable indicators, such as unusual handle operations on unrelated processes.
Implications for Red Teamers and Defenders
The decryption mechanism mirrors Cookie-Monster-BOF exactly, employing AES-256-GCM after extracting the nonce and encrypted payload from the v10-tagged values in the database. Once obtained, the tokens enable API calls to fetch conversation histories, read messages, or send phishing content on behalf of victims, escalating risks in lateral movement or social engineering campaigns.
Tier Zero Security has made the BOF publicly available, providing red teamers with a potent tool to test organizational defenses. However, this also means that malicious actors could exploit the tool for nefarious purposes. Organizations must be vigilant in monitoring for unusual process injections and handle duplications, as these could indicate an attempt to exploit this vulnerability.
Recommendations for Mitigation
To mitigate the risks associated with this vulnerability, organizations should consider the following steps:
1. Monitor for Unusual Process Behavior: Implement monitoring solutions that can detect unusual process injections and handle duplications, which may indicate an attempt to exploit this vulnerability.
2. Enhance Endpoint Security: Utilize endpoint detection and response (EDR) solutions to identify and respond to suspicious activities related to process injections and unauthorized access attempts.
3. Regularly Update Software: Ensure that all software, including Microsoft Teams, is regularly updated to incorporate the latest security patches and fixes.
4. Educate Users: Provide training to users about the risks of social engineering attacks and the importance of reporting suspicious activities.
5. Implement Least Privilege Access: Restrict user permissions to the minimum necessary to perform their job functions, reducing the potential impact of compromised accounts.
By proactively implementing these measures, organizations can strengthen their defenses against potential exploits targeting Microsoft Teams and similar applications.
