BOF Tool targets Microsoft Team's Cookies

ICSLabs has identified a technique that allows malicious actors to interact with the Microsoft Teams, Skype, and Microsoft Graph APIs to read and send messages on behalf of the victim, enabling data exfiltration, internal spear-phishing, and lateral movement without needing a password or bypassing MFA directly.

The technique exploits the way Microsoft Teams uses WebView processes (msedgewebview2.exe) and stores cookies in a local SQLite database. Tools adapted from "Cookie-Monster-BOF" are capable of duplicating handles opened to the cookie file, reading the SQLite file, and using the user's DPAPI key to decrypt the state key, allowing them to obtain valid cookies that authorize actions on behalf of the user. In Teams, this extraction does not require elevated privileges, as it only needs to be executed in the context of the same attacked user (via arbitrary code execution within the ms-teams.exe process or processes with the same permissions).

The impact is meaningful: active sessions can be hijacked to compromise internal communications and trigger Graph APIs for additional activities. Furthermore, the tool used is still compatible with multiple command and control frameworks.

Indicators and artifacts to monitor include the presence and activity of ms-teams.exe and msedgewebview2.exe processes and their WebView child processes, unusual access and reading of typical Teams cookie/SQLite files (for example under %LOCALAPPDATA%MicrosoftTeams or the user's WebView2 profiles), detection of handle duplication or calls to handle management APIs (indicative of DuplicateHandle/ProcessAccess), code injection or suspicious modules loaded into ms-teams.exe, readings of SQLite cookie files by unexpected processes, and exfiltration traffic or anomalous calls to external endpoints immediately after cookie access.

Latest updates

• August 23, 2025: The blog Randorisec published the article “Stealing Microsoft Teams access tokens in 2025,” which shows that capturing Teams cookies can allow interaction between Teams, Skype, and Graph APIs for sending and receiving messages.

• August 3, 2025: the Github user “clod81” released on Github the tool teams-cookies-bof, which makes use of the technique mentioned in the blog cited above.