India, Oct. 24 -- An existing dysfunction on the patient side of Microsoft Teams provided the opportunity for an adversary with local access to replay session tokens. Microsoft has patched this. This article will detail the vulnerability and the pathways of investigation we did and include defensive code snippets and SIEM queries for defenders to use.

Researchers demonstrated the desktop client of Teams stored session tokens in locations and data types accessible by other local processes. Once the attacker was able to execute code locally, they were able to read the session tokens and call Microsoft Graph & Teams APIs as that victim. While handling tokens on the client side has been problematic for application developers, breaches into t...