Hackers are exploiting Microsoft Teams access tokens to infiltrate chats, emails, and documents here’s what your security team needs to know and do now.
As we close out 2025, a newly disclosed vulnerability in Microsoft Teams has raised serious concerns for Australian enterprises relying on Microsoft 365. Security researchers have uncovered a method that allows attackers with local access to extract encrypted authentication tokens from Teams, granting them full impersonation powers across chats, emails, and SharePoint files.
What’s Happening: Token Theft via Teams Desktop App
Attackers who compromise a user’s device can extract access tokens stored by the Teams desktop client. These tokens act as digital keys, allowing threat actors to:
- Read and send Teams messages
- Access Outlook emails and shared documents
- Impersonate users across Microsoft 365 services
The attack leverages how Teams uses a Chromium-based browser engine (msedgewebview2.exe) to handle authentication. During login, encrypted cookies are written to a local database. While these are protected by Windows’ Data Protection API (DPAPI), attackers can extract the encryption key from a configuration file and decrypt the tokens using AES-256-GCM.
Proof-of-Concept: It’s Real and Automated
Researchers have built a proof-of-concept tool in Rust that automates the entire extraction and decryption process. Once attackers have the token, they can interact with the Microsoft Graph API to retrieve messages, send emails, and even load the token into post-exploitation tools like GraphSpy.
Why It’s Dangerous
- Stealthy Impersonation: Malicious activity appears to come from a trusted internal account.
- Bypasses MFA: Tokens allow access without needing passwords or second-factor authentication.
- Lateral Movement: Attackers can pivot across systems and users using compromised tokens.
What You Should Do Now
To defend against this attack vector, security teams should:
- Deploy Endpoint Detection & Response (EDR): Monitor access to Teams config files and DPAPI keys.
- Audit Microsoft Graph API Activity: Look for unusual patterns or bulk data access.
- Enforce Strict Access Controls: Limit token scope and lifetime via Entra ID policies.
- Educate Users: Reinforce safe device practices and phishing awareness.
- Patch & Protect: Ensure Teams clients are up to date and antivirus solutions are active.
Microsoft has begun tightening token lifetimes and binding them to device context, but local access remains a critical risk factor.
This vulnerability underscores the importance of endpoint hygiene and proactive monitoring. As attackers shift focus from remote exploits to local token theft, organisations must evolve their defences accordingly.
Need help auditing your Teams environment or setting up API monitoring? Let’s talk.
Souces:
https://www.pcquest.com/security-products/microsoft-teams-token-replay-attack-what-happened-and-fixes-10590106
https://cybersecuritynews.com/microsoft-teams-access-tokens/
https://intruceptlabs.com/2025/10/microsoft-teams-access-token-vulnerability-allows-attack-vector-for-data-exfiltration/
More from this months newsletter >
October Cyber News Wrap-Up: Australia’s Big Stories
October Cyber News Wrap-Up October was a high-tempo month for Australian cyber news: big-brand breaches, […]
Read More
Continuous Vulnerability Scanning for Real Risk
Scheduled Vs Continuous Vulnerability Scanning Why the old model is leaving gaps you cannot ignore […]
Read More
How to Maximise ROI from Your 2026 Cyber Security Budget
Cybersecurity budgets are rising in 2026, but smart allocation is what drives real ROI. Here’s […]
Read More
7 Types of Cyber Security Audits Every Organisation Needs in 2026
Every organisation needs a layered approach to Cyber Security audits, here are the essential types […]
Read More