New BOF Tool Bypasses Microsoft Teams Cookie Encryption to Steal User Chats

Cybersecurity researchers at Tier Zero Security have released a specialised Beacon Object File (BOF) tool that exploits a critical weakness in Microsoft Teams cookie encryption, enabling attackers to steal user chat messages and other sensitive communications.

The vulnerability stems from how Microsoft Teams handles cookie encryption compared to modern Chromium-based browsers.

While contemporary browsers like Chrome and Edge invoke a COM-based IElevator service running with SYSTEM privileges to protect encryption keys, Microsoft Teams still relies on the current user’s Data Protection API (DPAPI) master key.

This weaker protection mechanism creates an opportunity for attackers to decrypt cookies without requiring elevated administrator privileges.

Microsoft Teams uses the msedgewebview2.exe process, a Chromium-based component, to display browser content within the application.

Upon authentication, Teams stores cookies in a SQLite database similar to regular browsers.

However, the encryption key protecting these cookies can be accessed through the user’s DPAPI master key ...