This detection rule identifies suspicious access patterns to authentication tokens and accounts related to the Microsoft Teams desktop application. It specifically targets events where the security of Microsoft Teams may be compromised due to unauthorized access to critical files containing tokens stored in cleartext. The rule tracks Windows Event ID 4663, which signifies an object access event. It focuses on specific object names that hint at potential credential access, particularly within the Teams application's directory structure. If an access event is logged for files such as 'Cookies' or 'Local Storage' used by Teams, and if the process accessing these files is the Teams executable, an alert is generated. This provides an essential monitoring mechanism to prevent exploitation of Teams by malicious actors seeking to extract user credentials or tokens from the application.