err0r.net

<my little piece of the internet/>

Microsoft Teams: Why Hackers Are After It — and What You Should Do

Published by err0r on Friday, 24 October 2025, 9:32 AM in Technology
avatar

Microsoft Teams isn’t just where we share memes and debate if that meeting could’ve been an email — it’s also become a new target for hackers.

On October 23, 2025, researcher Brahim El Fikhi showed how attackers can steal hidden “login tokens” from the Teams desktop app on Windows. Those little bits of data act like digital keys — if someone steals yours, they can pretend to be you, read your chats, send messages, or grab your files from SharePoint or Outlook.

Here’s what that actually means, why it matters, and what you can do about it.

What’s Going On (in plain English)

  • Where the danger is:
    Teams keeps your sign-in info in a local file on your computer. Microsoft encrypts that data (so it isn’t just sitting there in plain text), but hackers have found a way to unlock it if they already have access to your computer.

  • What hackers can do with it:
    If someone can get into your Windows account or run programs as you, they can grab those tokens, unlock them, and use them to log in as you — no password, no MFA prompt, just instant access.

  • Why this matters:
    These tokens let someone act exactly like you — send fake “IT messages,” download files, or spy on Teams chats — all without raising obvious red flags.

  • How it happens:
    The Teams desktop app uses a built-in Microsoft Edge browser component to save those tokens. Attackers can find and decrypt them if they already have local access or have stolen your Windows login.

Why This Is a Bigger Deal Than It Sounds

  • Old problem, new twist:
    Teams used to store some of these tokens unencrypted. Microsoft fixed that, but now hackers aim for the encryption keys instead.

  • Local access still counts:
    If malware or a bad actor can run on your PC, encryption doesn’t help much — they can just unlock it as if they were you.

  • It’s sneaky:
    Tokens let attackers quietly read emails, messages, and files — without triggering password resets or MFA alerts.

What You Should Do (Right Now)

For everyday users

  • Turn on Multi-Factor Authentication (MFA) — it’s your biggest safety net.

  • Turn on Privacy Mode in Teams — stop strangers from seeing when you’re active or trying to join meetings. It’s a simple setting that makes it harder for hackers to target you or your company.

  • Don’t use the Teams desktop app on shared or public computers. If you must, use Teams in your web browser instead.

  • Don’t open unexpected files or links, even if they look like they came from coworkers. Confirm first.

  • Never give remote access or passwords to “IT” people who just message you — always verify through an official channel.

  • Restart Teams only when you know why. Sudden “please restart Teams” requests can be suspicious.

For IT admins

  • Treat the desktop Teams client as higher-risk on unmanaged PCs.

  • Use Conditional Access and MFA across your tenant.

  • Restrict external messaging and guest access where it’s not needed.

  • Monitor for odd Teams or Graph API activity — like new apps, weird file reads, or strange IPs.

  • Set policies to expire and refresh tokens more often, and revoke them quickly when something looks off.

  • Keep Teams, Windows, and Edge WebView fully updated.

The Big Picture

Think of your Teams token like the keys to your house. Encryption locks them in a safe — but if someone breaks into your living room, they can still open the safe.

This new attack doesn’t require hacking Microsoft’s servers — just your local machine. So the goal is to make it as hard as possible for anyone to run code or steal data from your computer.

Remember

Tokens = digital keys.
Protect them the same way you protect your password:

  • Keep your PC clean.

  • Use MFA everywhere.

  • Don’t hand your “keys” to strangers.

  • Keep your software updated.