Microsoft is a major productivity partner for many organizations and enterprises. These organizations widely trust Microsoft Office’s suite of products as a reliable foundation for their daily cloud ecosystem needs. However, this migration to the cloud also introduces new kinds of threats.
Today, attackers set their sights on cloud environments and services and try to leverage existing security flaws and vulnerabilities for various nefarious purposes. Proofpoint’s threat researchers recently analyzed over 450 million malicious sessions, detected throughout the second half of 2022 and targeting Microsoft 365 cloud tenants. According to our findings, Microsoft Teams is one of the ten most targeted sign-in applications, with nearly 40% of targeted organizations having at least one unauthorized login attempt trying to gain access.
There are multiple methods to abuse one of the most popular (and most targeted) native cloud applications: Microsoft Teams. These techniques allow malicious actors to effectively execute Office 365 credentials phishing, deliver malicious executables, and expand their foothold within a compromised cloud environment.
Abusing the Default Tabs Mechanism
Microsoft Teams platform provides a personal and group messaging mechanism, through Teams channels or chats. Each channel or chat can contain additional tabs created by different applications. An example of a default tab appearing in personal and group chats is the “Files” tab, associated with SharePoint and OneDrive. We have found that tabs manipulation could be part of a potent and largely automated attack vector, following an account compromise.
Usually, users may rename tabs however they choose, as long as the new name does not overlap with an existing tab’s name (for example: “Files”). In addition, users are supposedly restricted from re-positioning tabs in a way that places them before default tabs (e.g., “Files”).
However, Proofpoint discovered that using undocumented Teams API calls, tabs may be reordered and renamed so that the original tab can be swapped with a new custom tab.
One way that this seemingly benign “feature” can be leveraged by threat actors is by using a native app, “Website”, which allows users to pin a chosen website as a tab at the top of a Teams channel or chat.
After pinning a “Website” instance as a tab, an attacker can manipulate the tab’s name, changing it to an existing tab’s name, and then repositioning it. This effectively allows the attackers to push the native tab out of view, and therefore increase the chances of using the fraudulent tab.
This new tab could be used to point to a malicious site, such as a credential phishing webpage posing as a Microsoft 365 sign-in page. This could be extremely attractive for attackers, seeing as, by design, a website tab’s URL is not displayed to users unless they deliberately visit the tab’s ‘Settings’ menu.
Although browser security best practices educate users to closely examine key indicators (such as the URL bar) and to not click on suspicious links, in this case all those instructions are irrelevant, as Teams does not provide a visible URL bar. Therefore, unsuspecting victims are unlikely to notice that the web page they access is, in fact, malicious.
Another way of easily abusing the same mechanisms is by using the Website tab to point to a file. This causes Teams (desktop or web client) to automatically download the file to the user’s device, potentially placing malicious droppers inside victims’ corporate devices and networks.
Weaponizing Meeting Invites
Tabs are not the only Teams feature open to exploitation and abuse by malicious actors. The Microsoft Teams platform can also sync with a user’s calendar to display, create, and edit scheduled meetings. By default, when creating a Teams online meeting, several links are generated and sent within the meeting’s description. These allow users to join the online meeting or download Teams’ desktop client.
Whereas usually an attacker would need access to Outlook or Microsoft Exchange in order to manipulate the content of a meeting invite, once attackers gain access to a user’s Teams account, they can manipulate meeting invites using Teams API calls, swapping benign default links with malicious ones.
A sophisticated attacker may automatically alter the default links within a meeting invite so that users, both outside and inside the organization, are referred to phishing pages or to malware-hosting sites, thus causing instant download of malware posing as Teams installation files.
Weaponizing Hyperlinks in Messages
A different approach that attackers can utilize, given access to a user’s Teams token, is using Teams’ API or user-interface to weaponize existing links in sent messages. This could be done by simply replacing benign links with links pointing to nefarious websites or malicious resources. In this scenario, the presented hyperlink would not be changed, even though the URL behind it was modified.
Given that Teams API allows for the rapid and automatic enumeration and editing of links included in private or group chat messages, a simple script run by attackers could weaponize countless URLs within seconds. Subsequently, a sophisticated threat actor might utilize social engineering techniques and send new messages, encouraging unsuspecting users to click (or “re-visit”) the edited, and now weaponized, link.
It is important to note that the aforementioned abuse methods require pre-existing access to a compromised user account or Teams token. Nevertheless, approximately 60% of Microsoft 365 tenants suffered at least one successful account takeover incident in 2022. Consequently, the potential proliferation of these methods would provide threat actors with effective possibilities for post-compromise lateral movement.
Proofpoint’s analysis of past attacks and ongoing trends within the dynamic cloud threat landscape indicates that attackers progressively pivot to more advanced attack vectors. The adoption of new attack techniques and tools, when combined with apparent security flaws, including dangerous functionalities in 1st-party apps, exposes organizations to a variety of critical risks.
Recommendations to Protect Your Organization
Following are ways to help organizations defend against Microsoft Teams-based phishing and malware risks:
- Security awareness: Educate users to be aware of these risks when using Microsoft Teams.
- Cloud security: Identify attackers accessing Teams within your cloud environment. This requires accurate and timely detection of the initial account compromise, and the visibility into the impacted sign-in application.
- Web security: Isolate potentially malicious sessions initiated by links embedded in Teams messages.
- Review Microsoft Teams usage: If you’re facing targeting attempts on a regular basis, consider limiting usage of Microsoft Teams in your cloud environment.
- Restrict access: Make sure your Teams service is internal only if possible and not exposed to communication with other organizations.
Threat actors constantly seek new ways to steal users’ credentials and acquire access to users’ accounts. Microsoft Teams could be leveraged as a platform for various forms of cloud attacks since it is a legitimate and popular cloud application. Therefore, users should adopt industry-standard best practices for security and data protection, including embracing the Zero Trust Security model and adopting robust strategies to manage security updates, antivirus updates, and authentication.