According to a recent report by cybersecurity firm Proofpoint, researchers have discovered that Microsoft Teams functionalities make it easy for cybercriminals to conduct phishing attacks or deliver malware to users without their knowledge. The report states that by using tabs in the Teams interface or sending messages and meeting invites, hackers could redirect users to malicious sites, replace legitimate URLs with malicious ones, and trigger a malicious payload.
One of the critical issues highlighted by the report is the ease with which cybercriminals can conduct these types of attacks. The researchers point out that all of the proposed scenarios require an attacker to have a compromised account or session token already, but it’s worth noting that hackers have cracked enterprise Teams environments in the past.
Proofpoint’s report also notes that in 2022, around 60% of Microsoft 365 tenants were subject to at least one successful account takeover incident, with Teams being the tenth most-targeted sign-in application last year, with 39% of targeted organizations experiencing at least one unauthorized, malicious login attempt.
One of the primary issues identified in the report is the potential for hackers to leverage Teams tabs to serve malicious payloads or redirect users to malicious sites subtly. Unlike browser tabs, Teams tabs can point to applications, websites, and files. Moreover, using undocumented API calls, hackers could rename and reposition malicious tabs to break Teams conventions and take advantage of users.
The report pointed out that hackers could create a tab pointing to a malicious URL, rename it “Files,” and reposition it to supersede the legitimate “Files” tab in a user’s chat window. If their plan works, the URL isn’t displayed to users unless they deliberately visit the tab’s settings menu, providing an attractive attack platform for the bad actors.
If the above scenario seems unnecessary and overly complicated, hackers could merely point their tabs to a malicious file. When users access Teams via the desktop or Web client, the service will automatically download the file on the users’ device without any questions asked, exposing them to malware or more sophisticated threats.
Aside from tabs, hackers could use APIs to manipulate hyperlinks in chat messages and modify underlying URLs to lure users into clicking them unknowingly. The report noted that using such APIs allows hackers to edit and weaponize many URLs within seconds, retroactively causing more damage.
As Teams is a popular communication platform where business users regularly share sensitive information and documents, the consequences of compromise could be severe. Reports of thousands of organizations experiencing Teams account takeover incidents have led to financial fraud, brand abuse, sabotage, data theft, and other risks, which could cost the organizations millions of dollars.
Proofpoint’s researchers believe that organizations could make more informed decisions by embracing Zero Trust Security models and adopting robust strategies to manage security updates, antivirus updates, and authentication. More transparency about the inherent risks of first-party applications could help users take necessary precautions to ensure their safety.
When contacted for comments, Microsoft encouraged users to observe security best practices in Microsoft Teams and to adopt industry-standard best practice for security and data protection. It’s essential to ensure that we take every necessary step to protect ourselves and our organizations from malicious cyber attacks.