Hackers are exploiting Microsoft Teams access tokens to infiltrate chats, emails, and documents here’s what your security team needs to know and do now.
As we close out 2025, a newly disclosed vulnerability in Microsoft Teams has raised serious concerns for Australian enterprises relying on Microsoft 365. Security researchers have uncovered a method that allows attackers with local access to extract encrypted authentication tokens from Teams, granting them full impersonation powers across chats, emails, and SharePoint files.
What’s Happening: Token Theft via Teams Desktop App
Attackers who compromise a user’s device can extract access tokens stored by the Teams desktop client. These tokens act as digital keys, allowing threat actors to:
- Read and send Teams messages
- Access Outlook emails and shared documents
- Impersonate users across Microsoft 365 services
The attack leverages how Teams uses a Chromium-based browser engine (msedgewebview2.exe) to handle authentication. During login, encrypted cookies are written to a local database. While these are protected by Windows’ Data Protection API (DPAPI), attackers can extract the encryption key from a configuration file and decrypt the tokens using AES-256-GCM.
Proof-of-Concept: It’s Real and Automated
Researchers have built a proof-of-concept tool in Rust that automates the entire extraction and decryption process. Once attackers have the token, they can interact with the Microsoft Graph API to retrieve messages, send emails, and even load the token into post-exploitation tools like GraphSpy.
Why It’s Dangerous
- Stealthy Impersonation: Malicious activity appears to come from a trusted internal account.
- Bypasses MFA: Tokens allow access without needing passwords or second-factor authentication.
- Lateral Movement: Attackers can pivot across systems and users using compromised tokens.
What You Should Do Now
To defend against this attack vector, security teams should:
- Deploy Endpoint Detection & Response (EDR): Monitor access to Teams config files and DPAPI keys.
- Audit Microsoft Graph API Activity: Look for unusual patterns or bulk data access.
- Enforce Strict Access Controls: Limit token scope and lifetime via Entra ID policies.
- Educate Users: Reinforce safe device practices and phishing awareness.
- Patch & Protect: Ensure Teams clients are up to date and antivirus solutions are active.
Microsoft has begun tightening token lifetimes and binding them to device context, but local access remains a critical risk factor.
This vulnerability underscores the importance of endpoint hygiene and proactive monitoring. As attackers shift focus from remote exploits to local token theft, organisations must evolve their defences accordingly.
Need help auditing your Teams environment or setting up API monitoring? Let’s talk.
Souces:
https://www.pcquest.com/security-products/microsoft-teams-token-replay-attack-what-happened-and-fixes-10590106
https://cybersecuritynews.com/microsoft-teams-access-tokens/
https://intruceptlabs.com/2025/10/microsoft-teams-access-token-vulnerability-allows-attack-vector-for-data-exfiltration/
More from this months newsletter >
Advanced Phishing Emails: Real-World Example and How to Stay Protected
Advanced Phishing Emails: Real-World Example and How to Stay Protected Phishing continues to be one […]
Spotlight Feature Devo: Real-Time Security Analytics
Spotlight Feature Devo: Real-Time Security Analytics Security leaders are facing mounting pressure with limited resources […]
Top 3 Cyber Events in Australia – February 2026
Top 3 Cyber Incidents in Australia – February 2026 February delivered another stark reminder that […]
Cyber News Wrap-Up January: Key Cyber Security Stories
CYBER NEWS WRAP-UP: JANUARY 2026 Welcome everyone to the first cyber recap of the year! […]