A specialised Beacon Object File (BOF) designed to extract authentication cookies from Microsoft Groups with out disrupting the appliance.
This growth builds on current findings that expose how Groups shops delicate entry tokens, probably permitting attackers to impersonate customers and entry chats, emails, and paperwork.
The software, launched by Tier Zero Safety, adapts an present browser exploitation method to bypass Groups’ file-locking mechanisms, elevating contemporary considerations about endpoint safety in enterprise environments.
The innovation stems from an in depth evaluation of Groups’ authentication course of. As outlined in a current analysis put up by RandoriSec, Microsoft Groups embeds a browser window utilizing the msedgewebview2.exe course of, a Chromium-based part that handles login by way of Microsoft’s on-line companies.
Throughout authentication, this course of writes cookies to a SQLite database in a fashion just like conventional net browsers.
These cookies comprise entry tokens that grant entry to Groups conversations, Skype options, and even the Microsoft Graph API for broader Workplace 365 interactions.
Nonetheless, trendy Chromium browsers have bolstered their defenses. They now defend encryption keys via a COM-based IElevator service that runs with SYSTEM privileges, verifying the caller’s legitimacy by checking the executable’s safe set up path.
This setup calls for both execution throughout the browser course of or elevated administrator entry to decrypt cookie values.
In distinction, Groups depends on the easier Information Safety API (DPAPI) tied to the present person’s grasp key, making its cookies comparatively simpler to focus on as soon as the encryption secret’s obtained.
Overcoming File Locks With Course of Injection
A key hurdle within the authentic analysis was Groups’ runtime conduct: the appliance locks its Cookies database file whereas working, even within the background, stopping direct reads or copies.
Killing the MS-Groups.exe course of, as instructed within the put up, would alert customers and set off safety monitoring.
To handle this, the researchers drew inspiration from the Cookie-Monster-BOF, an open-source software that extracts cookies from reside browser processes by duplicating file handles and invoking the IElevator service.
The brand new Groups-Cookies-BOF repurposes this logic for the messaging app. As a substitute of terminating Groups, it runs straight throughout the ms-teams.exe course of, probably by way of DLL or COM hijacking, to establish little one webview processes holding open handles to the Cookies file.
It duplicates these handles, reads the file contents on the fly, and decrypts the values utilizing the person’s DPAPI grasp key. This method ensures stealth, because the software mimics authentic course of exercise with out file system disruptions.
Notably, the BOF’s flexibility extends past Groups injection. It may well execute in any course of sharing the identical person privileges, querying webview youngsters throughout the system to obtain related cookies.
Whereas this broadens its applicability, it additionally introduces detectable indicators, similar to uncommon deal with operations on unrelated processes.
For demonstration, the researchers shared a Gist script that achieves comparable outcomes from a impartial context, although it dangers pulling non-Groups cookies as collateral.
Implications For Crimson Teamers And Defenders
The decryption mechanism mirrors Cookie-Monster-BOF precisely, using AES-256-GCM after extracting the nonce and encrypted payload from the “v10”-tagged values within the database.
As soon as obtained, the tokens allow API calls to fetch dialog histories, learn messages, or ship phishing content material on behalf of victims, escalating dangers in lateral motion or social engineering campaigns.
Tier Zero Safety has made the BOF publicly out there on GitHub, suitable with any C2 framework supporting Beacon payloads, and it requires no arguments for fundamental use.
This launch underscores a persistent hole in Groups’ safety mannequin in comparison with hardened browsers. Organizations ought to prioritize behavioral monitoring for course of injection, implement least-privilege execution, and think about endpoint detection guidelines concentrating on DPAPI accesses or webview deal with manipulations.
As hybrid work depends closely on Groups, such vulnerabilities spotlight the necessity for ongoing scrutiny of embedded browser elements in productiveness apps.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
