Attackers Manipulate Teams Features to Gain Access

Microsoft Teams recently made it into a top 10 list of most-targeted applications—and that should be a warning to security teams whose organizations use it.

The app is one of the “most targeted sign-in applications, with nearly 40% of targeted organizations having at least one unauthorized login attempt trying to gain access,” researchers at Proofpoint recently found after analyzing more than 450 malicious sessions throughout the second half of 2022.

Love it or hate it, organizations came to depend on collaborative apps like Microsoft Teams and Zoom to connect remote workers and keep businesses up and running at the start of the pandemic—and now Teams especially is de rigueur. But those apps have also been points of vulnerability, as the rapid migration to the cloud introduced new kinds of threats, the researchers said in a blog post.

Techniques used by the malicious actors could “effectively execute Office 365 credentials phishing, deliver malicious executables and expand their foothold within a compromised cloud environment,” Proofpoint researchers found.

“API-first design means APIs have become embedded in every aspect of modern web and mobile applications’ user interfaces and underlying functionality. Business logic flaws, such as the ones found in the Microsoft Teams tab functionality, often get overlooked and are hard to flush out, making them a prime attack surface for adversaries to prey on,” said Nick Rago, field CTO at Salt Security. “This incident reinforces why organizations require runtime insights to continuously monitor their APIs. Runtime visibility provides a red flag to anomalous behaviors, so organizations can quickly detect new threats and more effectively defend against attacks.”

Proofpoint discovered that tabs manipulation in Teams “could be part of a potent and largely automated attack vector, following an account compromise.” A personal and group messaging mechanism in Teams allows additional tabs, such as Files, to be created by different applications.

“Usually, users may rename tabs however they choose, as long as the new name does not overlap with an existing tab’s name (for example: ‘Files’),” they explained. “In addition, users are supposedly restricted from repositioning tabs in a way that places them before default tabs (e.g., ‘Files’).”

But by “using undocumented Teams API calls, tabs may be reordered and renamed so that the original tab can be swapped with a new custom tab,” Proofpoint noted.

“One way that this seemingly benign ‘feature’ can be leveraged by threat actors is by using a native app, ‘Website,’ which allows users to pin a chosen website as a tab at the top of a Teams channel or chat,” the researchers said. “After pinning a ‘Website’ instance as a tab, an attacker can manipulate the tab’s name, changing it to an existing tab’s name, and then repositioning it. This effectively allows the attackers to push the native tab out of view, and therefore increase the chances of using the fraudulent tab.”

Threat actors could then use that tab to point to a malicious site, an attractive option since, by design, “a website tab’s URL is not displayed to users unless they deliberately visit the tab’s ‘Settings’ menu.” When the URL bar is not visible, victims are none the wiser and don’t realize they are accessing a malicious web page.

Potential attackers can also use that same mechanism to get the Website tab to point to a file, prompting Teams “to automatically download the file to the user’s device, potentially placing malicious droppers inside victims’ corporate devices and networks.”

Other techniques Proofpoint researchers uncovered were the weaponization of invites and hyperlinks in messages.

While attackers must have pre-existing access to a compromised user account or Teams token to abuse Teams, Proofpoint researchers stressed that “the potential proliferation of these methods would provide threat actors with effective possibilities for post-compromise lateral movement.”

In addition, the security firm said, “Analysis of past attacks and ongoing trends within the dynamic cloud threat landscape indicates that attackers progressively pivot to more advanced attack vectors.”

To avoid or reduce the threat of attackers who adopt new attack techniques and tools in conjunction “with apparent security flaws, including dangerous functionalities in first-party apps” that can “expose organizations to a variety of critical risks,” Proofpoint recommends organizations:

  • Security awareness: Educate users to be aware of these risks when using Microsoft Teams.
  • Cloud security: Identify attackers accessing Teams within your cloud environment. This requires accurate and timely detection of the initial account compromise and visibility into the impacted sign-in application.
  • Web security: Isolate potentially malicious sessions initiated by links embedded in Teams messages.
  • Review Microsoft Teams usage: If you’re facing targeting attempts on a regular basis, consider limiting use of Microsoft Teams in your cloud environment.
  • Restrict access: Make sure your Teams service is internal-only, if possible, and not exposed to communication with other organizations.

“Many organizations limit their security awareness training and phishing simulations and protections to email. However, in the real world, attackers can and are using any mechanism they can to deliver phishing attacks,” said Georgia Weidman, security architect, Zimperium. “Due to the lack of training and awareness, mobile vectors such as SMS and NFC, social media platforms like Facebook and Twitter and enterprise collaboration suites such as Microsoft Teams and Zoom are fertile ground for phishing attacks to be successful.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson