Retrieving access tokens from Microsoft Teams can expose sensitive information, including chats and documents. The article outlines methods to extract these tokens from Office desktop applications, focusing on Microsoft Teams. Initially, access tokens were stored in plaintext in a SQLite database, but recent changes mean they are now encrypted. The author describes how to capture these tokens in memory, particularly by targeting the msedgewebview2.exe process, which handles authentication through an embedded browser. Using SysInternals' ProcMon, the author identifies where authentication tokens are written during the login process. The Cookies database contains critical fields: host_key, name, and encrypted_value. The encrypted_value has a specific tag indicating its version, which is associated with the Data Protection API (DPAPI) for encryption. The key for decrypting the cookies is found in a specific JSON file, and the article details how to extract and decrypt the tokens using AES-256-GCM. A Proof of Concept in Rust demonstrates the extraction process, although there's a limitation: if the ms-teams.exe process is running, the Cookies file is locked and cannot be accessed. Once the access token is retrieved, it can interact with the Microsoft Teams Graph API, allowing actions like reading conversations or sending messages. The article also mentions GraphSpy, a post-exploitation tool that can leverage the access token to perform various actions within the compromised user's context.