Analysis Summary

A newly identified attack vector, Browser Cache Smuggling, combines browser cache exploitation and DLL proxying to infiltrate systems running Microsoft Teams and OneDrive. This technique allows attackers to bypass traditional security measures by leveraging browsers’ caching mechanisms to store and later execute malicious DLLs disguised as harmless files. Modern browsers cache static resources like images and JavaScript for performance optimization. Attackers exploit this by hosting malicious DLL files on a webpage while manipulating the Content-Type headers to make them appear as legitimate assets. When a user visits the malicious site, their browser unknowingly caches the DLL, setting the stage for execution at a later phase.

Once cached, attackers use social engineering to trick victims into running a PowerShell command that retrieves the DLL from the cache and moves it to a sensitive directory, such as Microsoft Teams’ or OneDrive’s local folders. From there, the attacker exploits DLL proxying, a technique that allows malware to blend seamlessly with legitimate applications. Microsoft Teams, for example, follows Windows' DLL search order, meaning if an attacker places a forged VERSION.dll in its directory, the application will load the malicious DLL instead of the original one. This enables malware execution while simultaneously ensuring that legitimate API calls are forwarded to the original DLL, preventing crashes and reducing suspicion.

According to the Researcher, By targeting Microsoft Teams and OneDrive, attackers take advantage of user privileges, eliminating the need for administrative rights while leveraging the applications' frequent internet communication to blend malicious traffic with normal usage. The attack’s automation is further enhanced through PowerShell scripts that scan Firefox's browser cache directories (cache2/entries) to locate and extract the malicious DLL. Since Browser Cache Smuggling operates within the boundaries of expected browser behavior, network-based security solutions fail to detect it. Furthermore, traditional antivirus tools often miss the threat due to DLL proxying’s ability to conceal malicious actions within trusted applications.

This emerging technique, first disclosed at Insomni’hack 2025, highlights the growing sophistication of socially engineered cyber threats. With 78% of enterprises relying on Microsoft 365, the risk posed by such tactics is substantial. Organizations must adopt layered defenses, such as stricter cache policies, behavioral detection mechanisms, and endpoint monitoring, to mitigate the impact. Red teams and defenders should closely analyze evolving attack surfaces and prioritize defenses against browser-based threats that exploit trusted software environments.

Impact

• Security Bypass
• Privilege Escalation
• Gain Access

Remediation

• Disable or limit caching of executable files (e.g., .dll, .exe) in enterprise environments.
• Configure browsers to block caching for untrusted or external domains.
• Use Windows Defender Application Control (WDAC) or AppLocker to restrict unauthorized DLL execution.
• Ensure that Microsoft Teams and OneDrive only load DLLs from their official directories.
• Deploy behavior-based detection to identify suspicious PowerShell activities.
• Monitor for unauthorized file movements from browser cache directories to system folders.
• Use firewall and proxy rules to inspect HTTP responses and block manipulated Content-Type headers.
• Educate employees about social engineering tactics and the risks of executing unverified PowerShell commands.
• Encourage safe browsing practices, such as avoiding unknown links and downloads.
• Regularly update Microsoft Teams and OneDrive to patch vulnerabilities.
• Restrict user write access to critical application directories to prevent DLL hijacking.
• Conduct regular penetration testing to identify exposure to DLL proxying attacks.
• Utilize Threat Intelligence Feeds to detect emerging attack patterns and indicators of compromise (IoCs).