Microsoft Teams Authentication Tokens Stored Unencrypted

Researchers from the Vectra Protect team found that Microsoft Teams store authentication tokens unencrypted on Windows, macOS, and Linux systems. Attackers with local or remote system access can steal the tokens from Microsoft teams users who are signed in. Microsoft says that while it does not have immediate plans to fix the issue, it may address it in a future product release. Until there is a fix available, Vectra recommends migrating to the Microsoft teams web app and to create a system monitoring rule to identify processes accessing sensitive files.

Note

• If you’re considering migrating to the browser-based Teams app, consider the browser chosen. Not all browser versions support teams fully and not all browsers have equivalent security protections. Consider Chromium Edge or Chrome for optimal experience. Even so, there is a reduction of functionality. Note that for Linux users EOL for the Linux desktop Teams client is December 22, so the browser version will be their only option. Monitoring access to the identified files by processes other than the Teams application and implementing a response mechanism may be far more acceptable to end users than switching to the browser-based app.

Read more in

• Undermining Microsoft Teams Security by Mining Tokens
• Token-Mining Weakness in Microsoft Teams Makes for Perfect Phish
• Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs