New BOF Tool Targets Microsoft Teams Cookies – Attackers Could Hijack Chats Without Admin Rights

Security researchers at TierZeroSecurity have published a proof-of-concept Beacon Object File (BOF) that can extract Microsoft Teams session cookies from a user process, enabling an attacker who already runs code as the current user to interact with Teams, Skype and Microsoft Graph APIs as the compromised account.

The research builds on prior analysis of Teams’ cookie storage and the weaker protections it applies compared with modern Chromium browsers. The result: cookie theft without SYSTEM privileges and a practical route to account-level takeover for active sessions, According to TierZeroSecurity.

What the research shows (high level, non-actionable)

• Microsoft Teams embeds a Chromium WebView (msedgewebview2.exe) and stores authentication cookies in a SQLite database similar to browsers.
• Unlike hardened Chromium browsers – which use a COM-based service running at SYSTEM to protect the cookie-encryption key – Teams relies on the current user’s Data Protection API (DPAPI) master key. That weaker model makes it possible for an attacker with the same user privileges to decrypt the cookie encryption key.
• TierZero repurposed a trimmed-down version of the Cookie-Monster BOF to run inside the Teams process (or other processes with the same privileges) and extract the cookies and decryption key, enabling API access as the logged-in user. Their PoC is intended to run as a BOF within a C2 framework; the code and details are publicly visible via TierZero’s disclosure. (See TierZeroSecurity’s writeup.)

Important: this article explains the threat and defensive steps. It does not provide exploit code or operational instructions that would facilitate abuse.

Why this is dangerous for organisations and users

• Session impersonation: Stolen Teams cookies can allow attackers to read/send Teams messages, access chats, and interact with Graph APIs as the victim – without needing their password.
• Lateral movement & data loss: Adversaries with a single user foothold can misuse Teams to phish colleagues, deliver malicious files, or exfiltrate sensitive chat data.
• No admin privileges required: Because the attack works at the user level, standard privilege separation alone is not sufficient. Any infected or compromised workstation can be abused.
• Undetected abuse potential: API interactions using valid session cookies often blend with normal traffic and may evade simple anomaly detection.

Wider implications for security teams and the industry

This research highlights a recurring pattern: desktop apps that embed browser engines must adopt the same hardened protections browsers use for credential material. Teams is a widely deployed collaboration platform in enterprise, government, healthcare and education – so flaws that let attackers impersonate active users pose operational and reputational risks at scale. Vendors, defenders and endpoint teams must treat embedded webviews as first-class attack surfaces.

Expert view (contextual commentary)

Security practitioners we spoke with (industry consensus) note that this is not a novel attacker technique – cookie/session theft has long been a vector – but the ease of doing it without elevated privileges makes it particularly concerning. The real defence is layered: reduce opportunities for initial compromise, harden endpoints and monitor for abnormal Graph/Teams API activity. Products that rely on user session tokens must be designed to defend those tokens as rigorously as credentials.

10 recommended actions, mitigations and best practices for security teams

1. Harden endpoints and reduce compromise probability. Maintain up-to-date EDR/antivirus with behavioral detection; implement application control to reduce arbitrary code execution.
2. Enable Conditional Access & MFA for Teams/Office 365. Require risk-based access controls and adaptive MFA so stolen session tokens alone are insufficient for long-term access.
3. Monitor Graph and Teams API activity. Alert on unusual API calls, mass message sends, or activity from atypical hosts and geographies.
4. Limit Teams token lifetime and refresh policies. Where possible configure shorter session lifetimes and require reauthentication for sensitive operations.
5. Segment user privileges and separate admin tasks. Use dedicated admin workstations and avoid admin duties on users’ day-to-day machines.
6. Detect in-process code injection and suspicious child processes. Watch for anomalous DLL loads, process hollowing, or unexpected handles to Teams/EdgeWebView processes.
7. Use endpoint isolation on suspicious devices. If an endpoint shows compromises, isolate it from the network and force session invalidation for its users.
8. Educate users about phishing & lateral abuse. Include Teams-centric scenarios in your awareness program (see training resources at training.saintynet.com).
9. Leverage threat intelligence & IOC sharing. Exchange indicators (unusual processes, C2 artifacts) with partners and platforms like Cybercory to speed detection and response. (See related coverage on Cybercory)
10. Engage vendors for secure design changes. Push app vendors – Microsoft in this case — to adopt system-level protections (like COM-based key protection) for embedded webviews and cookie storage.

MEA focus – why this matters to Middle East & Africa organisations

Enterprises across the Middle East and Africa (MEA) are rapidly adopting cloud collaboration tools including Microsoft Teams for government services, banks, oil & gas, healthcare and education. Many organisations in the region run a mix of BYOD and managed endpoints, creating broad surfaces where user-level compromises can occur. For MEA IT leaders this means prioritising endpoint hardening, conditional access policies, and targeted awareness programs – especially in sectors where Teams is used to coordinate critical operations.

Practical detection playbook (short)

• Hunt for processes that duplicate handles to msedgewebview2/Teams cookie files.
• Flag accounts with unusual Graph API calls outside normal working hours.
• Invalidate sessions and force reauth when suspicious activity or indicators are detected.

Responsible disclosure and vendor coordination

TierZeroSecurity published their BOF and analysis publicly; prior research by Randori (on Teams tokens) contributed essential context. Security teams should treat public PoCs as a call to action – not as instructions to replicate attacks – and coordinate with vendors for fixed, long-term mitigations. Microsoft’s engineering teams are the final authority for secure design and platform patches; organisations should monitor official advisories and apply any recommended updates or mitigations.

Conclusion

The Teams cookie BOF underscores a simple truth: session tokens are as valuable as credentials and must be protected accordingly. Because this attack requires only user-level access, defenders cannot rely on privilege boundaries alone — they must reduce the chance of initial compromise, shorten token lifetimes, monitor API usage, and harden endpoints. Adopting layered defenses, focused detection, and targeted staff training will limit the window of opportunity for attackers who abuse session cookies. For training and awareness resources tailored to these threats, see Saintynet Cybersecurity and follow ongoing analysis at Cybercory.