Hackers Could Drop Teams Malware via Browser’s Cache Smuggling

A novel attack vector combining browser cache exploitation and DLL proxying has emerged as a significant threat to organizations using Microsoft Teams and OneDrive.

Dubbed Browser Cache Smuggling, this technique allows attackers to bypass traditional security defenses by leveraging browsers’ caching mechanisms to deliver malware disguised as benign files.

Modern browsers cache static files (e.g., images, JavaScript) to improve performance. Attackers exploit this by hosting malicious DLL files on a webpage, disguised as innocuous content like images.

When a user visits the site, the browser caches the DLL, mistaking it for a legitimate resource based on manipulated Content-Type headers, Orange Cyberdefense said.

For example, a malicious HTML page embedding a hidden <img src="payload.dll"> triggers the browser to cache the DLL. 

Attackers then socially engineer the victim to execute a PowerShell command that locates the cached DLL and moves it to a high-risk directory, such as Microsoft Teams’ or OneDrive’s localappdata folders.

DLL Proxying: Evading Detection

Attackers use DLL proxying to avoid crashing applications and bypass antivirus software. Legitimate applications like Teams load DLLs from their installation directories, following the Windows DLL search order. By placing a malicious DLL in these directories, attackers hijack the process.

The malicious DLL proxies legitimate function calls to the original DLL while executing payloads like Cobalt Strike beacons. For instance, a forged VERSION.dll in Teams’ directory would:

1. Execute malware to establish a C2 connection.
2. Forward legitimate API calls to the genuine DLL.

This dual functionality ensures the application runs normally, reducing suspicion.

Weaponizing Teams and OneDrive

Orange Cyberdefense used Microsoft Teams and OneDrive as ideal targets because:

• They run with user privileges, allowing DLL hijacking without admin rights.
• Their frequent internet communication masks malicious traffic.

Attackers use a PowerShell script to search the browser cache (e.g., Firefox’s cache2/entries) for the smuggled DLL and copy it to Teams’ directory:

powershellforeach ($f in @("$env:LOCALAPPDATA\Mozilla\Firefox\Profiles\*.default-release\cache2\entries\")) {  
    gci $f -r | % {  
        if (Select-String -Pattern "PAYLOAD" -Path $_.FullName) {  
            cp $_.FullName "$env:LOCALAPPDATA\Microsoft\Teams\VERSION.dll"  
        }  
    }  
}  

Browser Cache Smuggling bypasses network-based defenses by leveraging legitimate browser behavior, while DLL proxying hides malware in trusted processes. With 78% of enterprises relying on Microsoft 365, this technique poses a widespread risk.

As browsers and enterprises gradually adopt stricter cache policies, red teams, and defenders must prioritize understanding these evolving attack surfaces.

The technique, first highlighted at Insomni’hack 2025, underscores the need for layered defenses against socially engineered attacks leveraging trusted software.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free