A brand new approach permits hackers to extract encrypted authentication tokens from Microsoft Groups on Home windows, enabling unauthorized entry to chats, emails, and SharePoint information.
In a weblog publish dated October 23, 2025, Brahim El Fikhi explains how these tokens, saved in a Chromium-like Cookies database, might be decrypted utilizing Home windows’ Information Safety API (DPAPI).
This methodology bypasses current safety hardening, posing dangers for lateral motion and information exfiltration in enterprise environments.
These entry tokens grant impersonation capabilities, akin to sending Groups messages or emails on behalf of victims, which attackers can exploit for social engineering or persistence.
El Fikhi’s give attention to desktop Workplace apps, particularly Groups, highlights vulnerabilities in embedded browser parts that deal with authentication by way of login.microsoftonline.com. Microsoft’s ecosystem stays a primary goal, with current disruptions famous in threats towards Groups as of early October 2025.
Early Microsoft Groups variations saved auth cookies in plaintext throughout the SQLite file at %AppDatapercentLocalMicrosoftTeamsCookies, a flaw uncovered by Vectra AI in 2022 that allowed easy file reads to reap tokens for Graph API abuse, bypassing MFA.
Updates eradicated this plaintext storage, adopting encrypted codecs aligned with Chromium’s cookie safety to stop disk-based theft.
Nevertheless, the shift introduces new assault vectors. Tokens now use AES-256-GCM encryption protected by DPAPI, a Home windows API that ties keys to person or machine contexts for information isolation.
This depends on the person’s login credentials, making decryption possible with native entry however difficult remotely with out privilege escalation. Related protections in browsers like Chrome have been cracked by way of key extraction, a sample echoed in Groups’ msedgewebview2.exe course of.
Microsoft Groups Entry Tokens Exfiltrated
To pinpoint token areas, researchers employed ProcMon from SysInternals, filtering for WriteFile operations on msedgewebview2.exe the embedded Edge WebView2 browser spawned by ms-teams.exe throughout login.
This course of writes to the Cookies database, in contrast to the principle executable, which avoids delicate file I/O past logs.
The SQLite Cookies desk holds essential entries: host_key (e.g., groups.microsoft.com), title (cookie identifier), and encrypted_value prefixed with “v10” (0x76 0x31 0x30), indicating Chromium’s model 10 encryption.
The schema parses as: 3-byte tag, 12-byte nonce (initialization vector), and the AES-encrypted payload. The grasp key’s in %AppDatapercentLocalPackagesMSTeams_8wekyb3d8bbweLocalCacheMicrosoftMSTeamsEBWebViewLocal State, a JSON file underneath os_crypt.encrypted_key—a Base64 string beginning with “DPAPI” after decoding, protected by user-specific DPAPI blobs in %AppDatapercentMicrosoftProtect.
Extract and DPAPI-unprotect the important thing utilizing Home windows APIs like CryptUnprotectData, which requires the attacker’s context to match the person’s (e.g., by way of mimikatz for credential dumping).
Then, apply AES-256-GCM with the important thing and nonce to the payload, yielding the auth token. El Fikhi’s Rust PoC automates this, dumping tokens post-teams.exe termination to unlock the file, a typical limitation, as the method holds an unique lock. Python equivalents, like these for Chrome, display comparable logic:
This code, tailored from browser forensics, straight applies to Groups. A GitHub PoC (teams_dump) lists and decrypts the database, outputting JSON with hosts like groups.microsoft.com and cookies like MUIDB or TSREGIONCOOKIE.
Mitigations
Instruments like GraphSpy ingest the token for scoped abuse studying SharePoint or emails, restricted to Groups permissions (e.g., Chat.ReadWrite, Mail.Ship). Microsoft’s Main Refresh Token (PRT) ties into this, enabling seamless SSO however amplifying token reuse dangers throughout apps.
Mitigations embrace monitoring for ms-teams.exe kills or uncommon ProcMon patterns, implementing app-bound encryption, and preferring web-based Groups to keep away from native storage.
Rotate tokens by way of Entra ID insurance policies and audit API logs for anomalies. As Groups threats evolve, DPAPI-aware EDR guidelines are important.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
