An existing dysfunction on the patient side of Microsoft Teams provided the opportunity for an adversary with local access to replay session tokens. Microsoft has patched this. This article will detail the vulnerability and the pathways of investigation we did and include defensive code snippets and SIEM queries for defenders to use.

What happened and why it mattered

Researchers demonstrated the desktop client of Teams stored session tokens in locations and data types accessible by other local processes. Once the attacker was able to execute code locally, they were able to read the session tokens and call Microsoft Graph & Teams APIs as that victim. While handling tokens on the client side has been problematic for application developers, breaches into the authentications of Microsoft Cloud are less so.

Microsoft patched the local token storage, tightened tokens to their device context, and reduced the lifetime of the tokens to reduce the risk of the tokens being replayed.

Forensic Footprint Investigators Saw

SOC teams saw consistent artifacts that pointed to token reuse:

• Successful Graph API requests for one UserPrincipalName from disparate IPs and user agents.
• Nonstandard client names (headless browsers or scripted clients) in SigninLogs.
• Memory artifacts showing serialized session objects (not raw passwords).
• AcquireTokenSilent patterns followed by bulk reads or message exports.

These indicators allowed for quick escalation from phishing triage to full token-theft incident response.

Technical Appendix 

Sensitive fields and exploit steps are redacted. The appendix is about defensive actions, detections, and redacted structure for credibility.

Redacted Token Structure (Example)

A bearer token has three dot-separated parts. This is fictional, and the signature is obscured:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJzdWIiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsImV4cCI6MTcwMDAwMDAwMH0
.
[signature redacted: #####]

Defenders correlate aud, iss, exp, and oid claims to trace sessions without exposing secret material.

Defensive, Production-Ready Snippets

Revoke Sessions (Microsoft Graph – Defensive)

POST https://graph.microsoft.com/v1.0/users/{user-id}/revokeSignInSessions
Authorization: Bearer {admin-access-token}
Content-Type: application/json

A 204 No Content response indicates sessions and refresh tokens were invalidated.

Secure Token Caching (Python + Keyring + MSAL Pattern)

import keyring
from msal import PublicClientApplication

APP_ID = "your-app-id"
SCOPES = ["User.Read"]

app = PublicClientApplication(APP_ID)
cache_blob = keyring.get_password("teams_cache", "app")
if cache_blob:
app.token_cache.deserialize(cache_blob)

result = app.acquire_token_silent(SCOPES, account=None)
if not result:
result = app.acquire_token_interactive(SCOPES)

keyring.set_password("teams_cache", "app", app.token_cache.serialize())

This avoids plaintext token files by using the OS-protected store.

Rotate Service Principal Credentials (Azure CLI – Defensive)

az ad app credential reset --id --append --credential-description "rotate-2025-10" --years 1

Verify new secret in vault, then retire old secret after validation

Detection Queries and Playbook (Tunable)

KQL to Flag Likely Token Replay

SigninLogs
where TimeGenerated > ago(7d) and ResultType == 0
summarize IPs = dcount(IPAddress), Clients = dcount(ClientAppUsed) by UserPrincipalName
where IPs > 3 or Clients > 3

Correlate with AuditLogs showing large Graph API activity for the same account.
Automated response: isolate endpoint, revoke sessions, require password reset and MFA re-enrollment, rotate app credentials, preserve logs for forensics.

Final Takeaway

The patched Teams incident shows endpoint token handling is a critical security boundary. Tokens must be stored and scoped carefully, and teams should couple short lifetimes, device binding, and rapid revocation with robust endpoint detection.

More For You

Meta’s new AI tools promise to protect teens from creepy DMs and online predators

How to Secure My Phone from Hackers Step by Step Guide

CISA alert: 5 dangerous software flaws are being exploited right now

The Invisible Hacker: LinkPro Rootkit Turns Linux’s Own Power Against Itself