Security researchers at Proofpoint have published a report that identified new methods of effectively abusing Microsoft Teams through social engineering techniques. In their analysis of over 450 million malicious sessions targeting Microsoft 365 cloud tenants in the second half of 2022, Proofpoint found that Microsoft Teams was one of the top ten most targeted sign-in applications, with nearly 40% of organizations experiencing unauthorized login attempts.
Exploiting tabs for phishing and malware delivery
One of the techniques observed by the Proofpoint team involves manipulating tabs within Teams channels or chats to gain access to sensitive information. Attackers would rename tabs to mimic existing ones and redirect them to malicious websites, often for the purpose of credential phishing. This method of tab manipulation could be part of an automated attack vector following an account compromise.
Additionally, tabs were found to be exploited for instant malware downloads. Attackers would create custom tabs that automatically download files to users’ devices, potentially delivering malware payloads.
Manipulating invites and links
Proofpoint also observed attackers attempting to manipulate meeting invites by using Teams API calls to replace default links with malicious ones. This manipulation could lead users to unwittingly visit phishing pages or download malware.
Furthermore, threat actors were discovered modifying existing links in sent messages using the Teams API or user interface. In these cases, the presented hyperlink remains the same, but the underlying URL is changed to redirect users to nefarious websites or malicious resources.
Everyone’s a target
It is worth noting that the abuse methods described by Proofpoint require pre-existing access to a compromised user account or Teams token. However, approximately 60% of Microsoft 365 tenants experienced at least one successful account takeover incident in 2022. This highlights the potential for threat actors to exploit these methods for post-compromise lateral movement within compromised environments.
What you can do
To effectively counter vulnerabilities and protect Microsoft Teams users, organizations should prioritize the following mitigation strategies:
- Educate users: Raise awareness about social engineering techniques and encourage a cautious approach to suspicious activities. Empower employees to promptly identify and report potential threats. Implement multi-factor authentication (MFA) to strengthen security by requiring additional verification factors beyond passwords.
- Monitor Teams activities: Regularly monitor and analyze Teams activities to detect abnormal behavior and potential security breaches. Utilize robust monitoring tools to identify unauthorized login attempts, anomalous file downloads, and other indicators of compromise.
- Maintain up-to-date software and employ filtering solutions: Keep software versions up to date and utilize email and web filtering solutions. Apply security patches promptly and leverage advanced filtering mechanisms to mitigate the risk of exploitation. Proactively block malicious emails, phishing attempts, and suspicious links.