Researchers have identified several ways hackers can leverage Microsoft Teams functionalities to phish users, or deliver malware directly to their computers without their knowing it.
Using tabs in the Teams user interface, bad actors could potentially trigger a malicious payload, or redirect users to malicious sites while hardly leaving any trace, according to a report this week from Proofpoint. Additionally, through meeting invites or messages, hackers could replace legitimate URLs with malicious ones — again, without any obvious means for users to suss out the difference before it’s too late.
“These risky Teams functionalities provide a nearly ideal attack platform for threat actors to target victims without being detected,” the researchers tell Dark Reading.
Crucially, all of the proposed scenarios require an attacker to already have a compromised account or session token on hand. But as the researchers are quick to point out, hackers have long been targeting and cracking enterprise Teams environments.
According to the report, around 60% of Microsoft 365 tenants were subject to at least one successful account takeover incident in 2022. Teams, for its part, was the tenth most-targeted sign-in application last year, with 39% of targeted organizations experiencing at least one unauthorized, malicious login attempt.
Teams’ Tabs Problem
Rarely do tabs evoke fear. Only, perhaps, when we’ve got too many of them open at once.
Unlike browsers, however, Teams tabs can point to applications, websites, and files. For example, the default “Files” tab — first and foremost in any channel or chat window — is associated with SharePoint and OneDrive. And users can create tabs, of course — say, by pinning a particular web domain to a new tab.
A malicious user could do the same with a malicious domain, but that’s just the beginning. Using undocumented API calls, a hacker could rename and reposition a malicious tab to break Teams’ conventions.
In theory, a hacker could create a tab pointing to a malicious URL, rename it “Files,” and reposition it to supersede the legitimate “Files” tab in a user’s chat window.
“This could be extremely attractive for attackers,” the researchers wrote, “seeing as, by design, a website tab’s URL is not displayed to users unless they deliberately visit the tab’s ‘Settings’ menu.”
But why go through the trouble? Alternatively, a hacker could simply point their tab to a malicious file. If the user is accessing Teams via the desktop or Web client, Teams will automatically download the file to the user’s device, no questions asked.
Modifying Links in Meetings and Messages
Tabs aren’t the only Teams functionalities malicious actors could hone in on.
Take meetings. With API calls, an attacker could sabotage auto-generated meeting links in calendar invites, swapping them out with malicious ones. Because meeting links tend to be busy — not so simple as www.____.com — victims may have a difficult time telling the difference.
A malicious actor might also manipulate hyperlinks in chat messages, modifying the underlying URL to point somewhere malicious.
Proofpoint’s researchers speculated that, “given that Teams API allows for the rapid and automatic enumeration and editing of links included in private or group chat messages, a simple script run by attackers could weaponize countless URLs within seconds,” retroactively.
Teamwork, to Make Teams Work
Teams is a hugely popular communications platform, where business users often share highly sensitive information and documents. Thus, the consequences of compromise can be high.
“We have seen thousands of organizations experience Teams account takeover,” the researchers explain, “which subsequently led to financial fraud, brand abuse, sabotage, data theft, and other risks. According to multiple studies, the average cost of an account takeover incident can cost thousands to millions of dollars.”
The solutions, by contrast, can be simple. “Organizations can make informed decisions when there is greater transparency about the inherent risks of first party applications,” the researchers say.
For instance, “it should be easier for ‘hidden’ URLs, which are inaccessible to the average user, to be viewed. Alternatively, adding and strengthening security measures to prevent automatic redirection to unwanted websites and block automatic file downloads would also help mitigate vulnerabilities.”
When reached for comment, Microsoft offered the following response to Proofpoint:
“Microsoft encourages users to observe security best practices in Microsoft Teams and to adopt industry-standard best practices for security and data protection including embracing the Zero Trust Security model and adopting robust strategies to manage security updates, antivirus updates, and authentication. More information on Zero Trust Security is available at https://aka.ms/zerotrust.”
