Get a demo
Voyager18 (research)

On the Microsoft Teams desktop app? Watch your credentials and tokens!

If you're using the Microsoft Teams desktop app, you may be affected by this token mining vulnerability. Here's what you need to know.

Bar Lanyado | September 15, 2022

Last month, it was discovered that Microsoft Teams users could be leaving the doors open for malicious entities on their computers to access their credentials. 

Here’s everything you need to know about the vulnerability, first discovered by the Vectra Protect team: 

What is the vulnerability in the Microsoft Teams desktop app?

The team recently uncovered an attack path giving anyone with file system access the ability to steal credentials for any signed-in Microsoft Teams user. The team discovered that authentication tokens are stored in cleartext on the Microsoft Teams app. Attackers can easily assume the token holder’s identity for actions possible within the Microsoft Teams client. This includes accessing Microsoft Graph API functions from the attacker’s system. Worst of all is that attackers can use these tokens to conduct actions against MFA-enabled accounts. 

microsoft teams desktop app

Does it affect me?

If you are using Microsoft Teams desktop app, then yes. (Windows, Linux and MacOS)

Has it been actively exploited in the wild?

We have not found any mentions of exploitation in the wild.

Mitigating the risk in the Microsoft Teams desktop app

While there’s still no patch, you can avoid being exploited by migrating to the Teams web app.

Moreover, be sure to monitor and verify that no other process except Microsoft Teams processes is accessing the following files:

  • [Windows] %AppData%\Microsoft\Teams\Cookies
  • [Windows] %AppData%\Microsoft\Teams\Local Storage\leveldb
  • [macOS] ~/Library/Application Support/Microsoft/Teams/Cookies
  • [macOS] ~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb
  • [Linux] ~/.config/Microsoft/Microsoft Teams/Cookies
  • [Linux] ~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:

  1. The most common CVEs (and how to fix them
  2. CVE-2022-3075: how to fix the zero-day vulnerability in Chrome
  3. Mapping CVEs to the MITRE ATT&CK framework
  4. The Vulcan Cyber community Slack channel
  5. Vulcan Remedy Cloud

And finally…

Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy