Hackers are exploiting Microsoft Teams access tokens to infiltrate chats, emails, and documents here’s what your security team needs to know and do now.
As we close out 2025, a newly disclosed vulnerability in Microsoft Teams has raised serious concerns for Australian enterprises relying on Microsoft 365. Security researchers have uncovered a method that allows attackers with local access to extract encrypted authentication tokens from Teams, granting them full impersonation powers across chats, emails, and SharePoint files.
What’s Happening: Token Theft via Teams Desktop App
Attackers who compromise a user’s device can extract access tokens stored by the Teams desktop client. These tokens act as digital keys, allowing threat actors to:
- Read and send Teams messages
- Access Outlook emails and shared documents
- Impersonate users across Microsoft 365 services
The attack leverages how Teams uses a Chromium-based browser engine (msedgewebview2.exe) to handle authentication. During login, encrypted cookies are written to a local database. While these are protected by Windows’ Data Protection API (DPAPI), attackers can extract the encryption key from a configuration file and decrypt the tokens using AES-256-GCM.
Proof-of-Concept: It’s Real and Automated
Researchers have built a proof-of-concept tool in Rust that automates the entire extraction and decryption process. Once attackers have the token, they can interact with the Microsoft Graph API to retrieve messages, send emails, and even load the token into post-exploitation tools like GraphSpy.
Why It’s Dangerous
- Stealthy Impersonation: Malicious activity appears to come from a trusted internal account.
- Bypasses MFA: Tokens allow access without needing passwords or second-factor authentication.
- Lateral Movement: Attackers can pivot across systems and users using compromised tokens.
What You Should Do Now
To defend against this attack vector, security teams should:
- Deploy Endpoint Detection & Response (EDR): Monitor access to Teams config files and DPAPI keys.
- Audit Microsoft Graph API Activity: Look for unusual patterns or bulk data access.
- Enforce Strict Access Controls: Limit token scope and lifetime via Entra ID policies.
- Educate Users: Reinforce safe device practices and phishing awareness.
- Patch & Protect: Ensure Teams clients are up to date and antivirus solutions are active.
Microsoft has begun tightening token lifetimes and binding them to device context, but local access remains a critical risk factor.
This vulnerability underscores the importance of endpoint hygiene and proactive monitoring. As attackers shift focus from remote exploits to local token theft, organisations must evolve their defences accordingly.
Need help auditing your Teams environment or setting up API monitoring? Let’s talk.
Souces:
https://www.pcquest.com/security-products/microsoft-teams-token-replay-attack-what-happened-and-fixes-10590106
https://cybersecuritynews.com/microsoft-teams-access-tokens/
https://intruceptlabs.com/2025/10/microsoft-teams-access-token-vulnerability-allows-attack-vector-for-data-exfiltration/
More from this months newsletter >
November Cyber News Wrap-Up: Key Australian Security Trends
November Cyber News Wrap-Up As the year winds down, Australia’s cyber landscape is doing anything […]
Read More
2025 Final Cyber Solution Updates – New Features & Enhancements
New Capabilities and Updates Across Our Solutions Stack As we close out 2025, the final […]
Read More
Christmas Trading Hours 2025 – Office Closure Dates
Christmas Trading Hours 2025 As we approach the festive season, our team extends our sincere […]
Read More
Twelve Days of Cyber Security Christmas
The Twelve Days of Cyber Security Christmas Wishing everyone a safe and happy holiday! […]
Read More