Security researchers have unveiled a new Beacon Object File (BOF) exploit that circumvents Microsoft Teams’ cookie encryption, enabling attackers to pilfer sensitive chat data and authentication tokens with minimal detection.
This tool, an adaptation of the popular Cookie-Monster-BOF, targets the Teams desktop application’s vulnerable storage mechanisms, posing a significant risk to corporate communications.
Released on November 2, 2025, by Tier Zero Security, the exploit highlights ongoing weaknesses in how Teams handles encrypted cookies compared to modern browsers.
Teams’ Encryption Shortcomings Exposed
Microsoft Teams embeds a Chromium-based process, msedgewebview2.exe, to manage its browser window during authentication.
While this setup stores cookies in a SQLite database akin to browsers, Teams relies on the user’s Data Protection API (DPAPI) master key for encryption, lacking the elevated protections seen in Chrome or Edge.
Browsers invoke a SYSTEM-privileged COM service to safeguard their encryption keys, verifying caller legitimacy via secure paths inaccessible to low-privileged users.
In contrast, Teams’ approach allows decryption using the current user’s DPAPI key, making it susceptible to local attackers.
The original Cookie-Monster-BOF excels at extracting browser cookies by running within the browser process, duplicating file handles, and decrypting via the COM service.
However, applying this to Teams faced a hurdle: the Cookies file remains locked by the running application, preventing direct access.
Repurposed BOF Delivers Stealthy Theft
Tier Zero Security addressed this by modifying Cookie-Monster-BOF to operate within the ms-teams.exe process or any same-privilege context.
The new teams-cookies-bof scans for child webview processes holding open handles to the Cookies file, duplicates them to read contents undetected, and decrypts using the user’s DPAPI master key.
No process termination is needed, reducing forensic footprints.
The tool requires no arguments and integrates seamlessly with C2 frameworks supporting BOFs.
For non-Teams processes, a provided Gist queries all webview handles, downloading relevant cookies while ignoring others the decryption key applies only to Teams data.
This bypasses limitations noted in prior research by RandoriSec, which required killing Teams to access files.
Once obtained, these cookies yield access tokens for Teams, Skype, and Graph APIs, allowing message reading, sending, and lateral movement.
Researchers emphasize running the BOF in Teams’ context to evade indicators like unrelated process handles.
As Teams remains a prime phishing target, organizations should monitor for anomalous webview activity and enforce strict local access controls.
 exploit that circumvents Microsoft Teams' cookie encryption, enabling){kind=link}