Microsoft Teams' expansive repertoire of features intensifies the vulnerability of organizations, leaving them more susceptible to cyberattacksack Exposure

A group of researchers has detected multiple techniques through which hackers can exploit the functionalities of Microsoft Teams to deceive users or surreptitiously deliver malware to their computers. According to a recent report from Proofpoint, these cybercriminals could potentially initiate a harmful payload or redirect individuals to malicious websites by taking advantage of tabs within the Teams user interface, all while leaving minimal traces. Moreover, hackers could manipulate meeting invitations or messages by substituting legitimate URLs with malicious ones, leaving users unaware of the difference until it's too late.

"These risky functionalities in Teams create an almost perfect platform for threat actors to target victims without detection," the researchers caution Dark Reading.

It is important to note that all of these scenarios require attackers to already possess compromised accounts or session tokens. Nevertheless, as emphasized by the researchers, hackers have long been focusing on infiltrating enterprise Teams environments. The report reveals that approximately 60% of Microsoft 365 tenants experienced at least one successful account takeover incident in 2022. Furthermore, Teams ranked as the tenth most-targeted sign-in application last year, with 39% of targeted organizations encountering unauthorized and malicious login attempts.

Teams' Tabs Dilemma

Rarely do we associate fear with tabs—unless we find ourselves overwhelmed by an excessive number of them open simultaneously.

However, unlike web browsers, Teams tabs have the ability to direct users to applications, websites, and files. For example, the default "Files" tab, prominently featured in any channel or chat window, is linked to SharePoint and OneDrive. Users also have the option to create tabs, such as pinning a specific web domain to a new tab.

A malicious user could employ the same approach with a malicious domain, but that's just the beginning. By utilizing undocumented API calls, a hacker could rename and reposition a malevolent tab, thus breaking Teams' standard conventions.

In theory, a hacker could create a tab that points to a malicious URL, rename it as "Files," and reposition it to supplant the legitimate "Files" tab in a user's chat window.

"This would be highly appealing to attackers," state the researchers, "since a website tab's URL is deliberately hidden from users unless they specifically visit the tab's 'Settings' menu."

But why go through all this trouble? Alternatively, a hacker could simply direct their tab to a malicious file. If the user accesses Teams via the desktop or web client, Teams will automatically download the file to the user's device without any prompts or inquiries.

Manipulating Links in Meetings and Messages

Tabs are not the sole Teams functionalities that malicious actors could exploit.

Let's consider meetings. By leveraging API calls, an attacker could tamper with automatically generated meeting links in calendar invites, replacing them with malicious ones. Since meeting links often appear complex—unlike simple URLs like www.____.com—victims may struggle to discern the difference.

A malicious actor could also manipulate hyperlinks in chat messages by altering the underlying URL to direct users to a malicious destination.

The researchers at Proofpoint hypothesize that, "given that the Teams API enables rapid and automated enumeration and editing of links within private or group chat messages, attackers could potentially weaponize countless URLs in a matter of seconds," retroactively.

Collaborative Efforts to Safeguard Teams

Teams is an immensely popular communication platform where business users frequently exchange highly sensitive information and documents. Consequently, the implications of compromise can be severe.

"We have witnessed numerous organizations falling victim to Teams account takeovers," explain the researchers, "leading to financial fraud, brand abuse, sabotage, data theft, and other risks. According to multiple studies, the average cost of an account takeover incident can range from thousands to millions of dollars."

The solutions, however, can be straightforward. "Organizations can make informed decisions when they have greater