Microsoft Teams Features Amp Up Orgs' Cyberattack Exposure

It's as they say: Teams is only as strong as its weakest links. Microsoft's collaboration platform offers Tabs, Meetings, and Messages functions, and they all can be exploited.

4 Min Read
image of a man standing on a laptop keyboard with screen showing virtual meeting
Source: Elnur via Adobe Stock Photo

Researchers have identified several ways hackers can leverage Microsoft Teams functionalities to phish users, or deliver malware directly to their computers without their knowing it.

Using tabs in the Teams user interface, bad actors could potentially trigger a malicious payload, or redirect users to malicious sites while hardly leaving any trace, according to a report this week from Proofpoint. Additionally, through meeting invites or messages, hackers could replace legitimate URLs with malicious ones — again, without any obvious means for users to suss out the difference before it's too late.

"These risky Teams functionalities provide a nearly ideal attack platform for threat actors to target victims without being detected," the researchers tell Dark Reading.

Crucially, all of the proposed scenarios require an attacker to already have a compromised account or session token on hand. But as the researchers are quick to point out, hackers have long been targeting and cracking enterprise Teams environments.

According to the report, around 60% of Microsoft 365 tenants were subject to at least one successful account takeover incident in 2022. Teams, for its part, was the tenth most-targeted sign-in application last year, with 39% of targeted organizations experiencing at least one unauthorized, malicious login attempt.

Teams' Tabs Problem

Rarely do tabs evoke fear. Only, perhaps, when we've got too many of them open at once.

Unlike browsers, however, Teams tabs can point to applications, websites, and files. For example, the default "Files" tab — first and foremost in any channel or chat window — is associated with SharePoint and OneDrive. And users can create tabs, of course — say, by pinning a particular web domain to a new tab.

A malicious user could do the same with a malicious domain, but that's just the beginning. Using undocumented API calls, a hacker could rename and reposition a malicious tab to break Teams' conventions.

In theory, a hacker could create a tab pointing to a malicious URL, rename it "Files," and reposition it to supersede the legitimate "Files" tab in a user's chat window.

"This could be extremely attractive for attackers," the researchers wrote, "seeing as, by design, a website tab's URL is not displayed to users unless they deliberately visit the tab's 'Settings' menu."

But why go through the trouble? Alternatively, a hacker could simply point their tab to a malicious file. If the user is accessing Teams via the desktop or Web client, Teams will automatically download the file to the user's device, no questions asked.

Tabs aren't the only Teams functionalities malicious actors could hone in on.

Take meetings. With API calls, an attacker could sabotage auto-generated meeting links in calendar invites, swapping them out with malicious ones. Because meeting links tend to be busy — not so simple as www.____.com — victims may have a difficult time telling the difference.

A malicious actor might also manipulate hyperlinks in chat messages, modifying the underlying URL to point somewhere malicious.

Proofpoint's researchers speculated that, "given that Teams API allows for the rapid and automatic enumeration and editing of links included in private or group chat messages, a simple script run by attackers could weaponize countless URLs within seconds," retroactively.

Teamwork, to Make Teams Work

Teams is a hugely popular communications platform, where business users often share highly sensitive information and documents. Thus, the consequences of compromise can be high.

"We have seen thousands of organizations experience Teams account takeover," the researchers explain, "which subsequently led to financial fraud, brand abuse, sabotage, data theft, and other risks. According to multiple studies, the average cost of an account takeover incident can cost thousands to millions of dollars."

The solutions, by contrast, can be simple. "Organizations can make informed decisions when there is greater transparency about the inherent risks of first party applications," the researchers say.

For instance, "it should be easier for 'hidden' URLs, which are inaccessible to the average user, to be viewed. Alternatively, adding and strengthening security measures to prevent automatic redirection to unwanted websites and block automatic file downloads would also help mitigate vulnerabilities."

When reached for comment, Microsoft offered the following response to Proofpoint:

"Microsoft encourages users to observe security best practices in Microsoft Teams and to adopt industry-standard best practices for security and data protection including embracing the Zero Trust Security model and adopting robust strategies to manage security updates, antivirus updates, and authentication. More information on Zero Trust Security is available at https://aka.ms/zerotrust."

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights