Third-party security researchers from Proofpoint have found various flaws in Microsoft Teams that could be exploited by cyber attackers to launch phishing attacks or get users to download malicious files. The researchers warned that these vulnerabilities expose organisations to critical risks. Roughly 40% of Microsoft 365 cloud tenants, which use either the platform’s web or desktop clients, have witnessed at least one unauthorised login attempt trying to access Teams accounts in the second half of 2022, Proofpoint’s data showed. While this is lower than the number of organisations that encountered malicious login attempts on their Azure Portal or Office 365 accounts in general, it still indicates that hackers are taking a growing interest in Teams security.
Accessing Teams accounts can be accomplished with API tokens, credentials or an active session cookie. Once inside, hackers can easily expand their access to other services or users. The researchers discovered undocumented API calls that let Teams users rearrange the tabs displayed on the top of their channels or group conversations. These can include other Office 365 apps and can be customised for easy access, but malicious actors can also pin a tab called “Website” that allows them to load a potentially insecure remote website into a tab inside the Teams client.
This new tab could be used to point to a phishing page posing as a Microsoft 365 sign-in page, the researchers warned. Using the undocumented API calls, attackers could rename the new malicious “Website” tab that points to a phishing page similarly to another tab that already exists. They could then reorder tabs to push the original one out of view, meaning users used to clicking on the usual tab may now end up on a page that asks them to reauthenticate into their Microsoft 365 account. The page is displayed within a Microsoft app that the user trusts, which could lower their suspicion.
Expert observers note that this could allow malicious actors to bypass two-factor authentication and gain access to highly valuable Office 365 tools, such as email inboxes, storage folders, SharePoint sites and data accumulated by apps. Attackers could also hijack existing Teams groups and channels, pretending to be authorised individuals and luring other users into sharing sensitive information.
Another Teams API feature identified by the researchers is that it lets users modify the URLs sent inside meeting invites generated from a Teams account. By gaining access to a user’s Teams account, attackers can manipulate meeting invites using Teams API calls, swapping benign default links with malicious ones. These links may include fake Microsoft 365 login pages or pages that implore users to download a file that masquerades as a Teams update or installer.
Since Teams allows users to edit their past messages and change the links within existing chats, manipulative social engineering techniques can be used to urge recipients to click on weaponised links. Attack techniques such as these require attackers to already have access to a compromised account. However, it is vital for organisations to consider the potential for lateral movement as hackers rarely stop at one compromised account or system once they gain a foothold inside a network or infrastructure.
To mitigate the risk of lateral movement via Teams, the researchers recommend that organisations educate users on Teams safety, isolate potentially malicious sessions initiated by links embedded in Teams messages, identify attackers accessing Teams within their cloud environment, limit usage of Microsoft Teams in a cloud environment and ensure Teams services are kept internal and not exposed to communication with other organisations.
As more organisations turn to cloud-based services and apps for collaboration tools, attackers have shifted their focus to these burgeoning tools, seeking to bypass the associated security measures. Doug Levin, the founder and CEO of security firm Quantarius, said: “It’s not a matter of if bad actors will exploit these tools, but when and how they will do it most effectively.”