A recent research exposes the presence of security flaws and exploits within Microsoft Teams, raising concerns about potential risks and the need for enhanced security measures.
In today’s digital landscape, communication and collaboration platforms have become crucial tools for organizations.
Microsoft Teams is a widely used platform that integrates messaging, video conferencing, file sharing, and other productivity features. It has gained immense popularity with its seamless integration of these features.
However, recent research has shown that there are security vulnerabilities and exploits within Microsoft Teams, which raises concerns about the potential risks that these vulnerabilities pose and the need for enhanced security measures.
Table of Contents
The Microsoft Teams Exploit: Delivering Malware to Inboxes
This exploit allows an attacker to deliver malware directly into an employee’s inbox without them knowing. This could be very dangerous if an employee is not careful about what they click on in their inbox.
This exploit takes advantage of Microsoft Teams’ default configuration, which allows users from outside the organization to communicate with staff members. This default configuration can be exploited by attackers to gain access to sensitive information.
Researchers from Jumpsec Labs‘ Red Team, Tom Ellson and Max Corbridge , discovered a vulnerability in the “External Tenants” feature that enables the introduction of malware into files sent to an organization’s employees.
This method bypasses traditional payload delivery security controls, posing a significant threat to organizations’ cybersecurity defenses.
The vulnerability lies in the ability to manipulate the internal and external recipient IDs in the POST request, effectively tricking the system into treating an external user as an internal recipient.
This vulnerability could be exploited by an attacker to inject malicious content into an email, resulting in the execution of malicious code on the recipient’s device.
When sending the payload like this, it is actually hosted on a Sharepoint domain and the target downloads it from there. It appears, however, in the target inbox as a file, not a link. – Jumpsec Labs
Threat actors can send malicious payloads disguised as files directly to employees’ Microsoft Teams inboxes. If an attacker can convince an employee to open a specially crafted file in their Microsoft Teams inbox, the attacker can execute arbitrary code with the privileges of the user who opened the file.
Understanding Microsoft Teams Exploit Using TeamPhisher
TeamsPhisher is a tool developed using Python programming language that provides a fully automated attack that utilizes the attack idea of Jumpsec’s researchers, techniques developed by Andrea Santese, authentication and helper functions from Bastian Kanbach’s “TeamsEnum” tool.
Here are some images from the description of TeamsPhisher.
Sender’s View
Target’s View
The tool requires users to have a Microsoft Business account (MFA is supported) with a valid Teams and Sharepoint license, which is common for many major companies.
Additionally, the tool offers a “preview mode” to help users verify the set target lists and to check the appearance of messages from the recipient’s perspective.
Other features and optional arguments in TeamsPhisher could refine the attack.
For example, sending secure file links that can only be viewed by the intended recipient can bypass rate limiting. Additionally, the tool logs all attack activity for later analysis.
According to the description given in the TeamsPhisher’s Github repository, organizations can mitigate the risk posed by this vulnerability by managing the options related to external access via the Microsoft Teams admin center which can be accessed in External access section under Users.
Microsoft also provides flexibility to organizations to choose the best permissions to fit their needs, including a universal block as well as whitelisting only specific external tenants for communication.
Also Read: Dashlane vs Bitwarden: Which password manager is right for you?
Mitigation Strategies and Best Practices for Organizations
Given the potential risks associated with the Microsoft Teams security flaw, Organizations must take steps to mitigate the Microsoft Teams security flaw.
Here are some recommended strategies and best practices to protect your sensitive information.
Limit External Tenant Communication
Organizations can reduce the attack surface by disabling the option for external tenants to contact employees if it is not necessary for their operations.
By restricting external communication, organizations can minimize the risk of malicious payloads being delivered through Microsoft Teams.
Implement Domain Allow-Listing
If organizations need to maintain communication with external tenants, they can implement domain allow-listing.
This security measure restricts communication to specific allow-listed domains, reducing the chances of exploitation by unauthorized parties.
Employee Education and Awareness
Organizations should prioritize employee education and awareness about the risks associated with productivity apps like Microsoft Teams.
They can help employees recognize social engineering tactics, phishing attempts, and suspicious files or links received through the platform.
By doing this, employees can help protect themselves and their organization from potential threats.
Regular Security Audits and Updates
Organizations should conduct regular security audits of their Microsoft Teams environment in order to ensure that all software and applications are up to date with the latest patches and security updates.
Regular vulnerability assessments and penetration testing can help identify any potential weaknesses and enable organizations to take proactive steps to address them.
By conducting regular security audits and vulnerability assessments, organizations can ensure that they are ahead of emerging threats and remain protected against potential cyber threats.
Consider Alternatives and Additional Security Measures
Microsoft Teams offers a comprehensive suite of communication and collaboration features, but organizations may also consider alternative platforms that prioritize security or provide additional security measures.
Organizations should explore options that align with their specific security requirements to make informed decisions about their communication and collaboration tools.
Conclusion
By understanding the nature of these vulnerabilities and adopting proactive strategies, organizations can mitigate the risks associated with the external tenant exploit and login credential vulnerability.
Additionally, implementing security best practices, fostering employee awareness, and regularly updating security measures are crucial steps in safeguarding sensitive information and maintaining a secure communication and collaboration environment with Microsoft Teams.