• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News, Unified Communications

Research: Microsoft Teams Can Be Used for Malware Delivery

Microsoft Teams is now one of the 10 most targeted sign-in applications in Microsoft 365 and can be abused by attackers, Proofpoint says.

May 18, 2023 Zachary Comeau Leave a Comment

Microsoft Teams attack
stock.adobe.com/Postmodern Studio

It is common knowledge that Azure, PowerShell, Exchange and other Microsoft Tools and services are popular targets of threat actors, but Microsoft Teams is emerging as one of the most targeted Microsoft applications for attackers. According to enterprise security firm Proofpoint, Microsoft Teams is now one of the 10 most targeted sign-in applications, with nearly 40% of targeted organizations having at least one unauthorized login attempt trying to gain access.

Proofpoint’s data comes from an analysis of over 450 million malicious sessions detected throughout the second half of 2022 targeting Microsoft 365 cloud tenants. While Microsoft Teams is last on the list, it’s presence on the list alone signifies how attackers are pivoting to target heavily used applications on which many organizations rely to support hybrid work models.

The company says its researchers have discovered several new ways that attackers are using Microsoft Teams for malicious purposes, including using tabs for phishing users and instant malware downloads, and weaponizing meeting invites and messages via malicious links.

These actions essentially allow threat actors to conduct Microsoft 365 credential attacks, deliver malware and maintain persistence in a victim’s cloud environment.

Malicious tabs

According to Proofpoint, researchers have discovered that using undocumented Microsoft Teams API calls, tabs can be reordered and renamed so the original tab can be swapped with a new custom tab. The company says manipulating tabs “could be part of a potent and largely automated attack vector” following an account compromise.

Attackers could also use a native app, “Website,” to pin a chosen website as a tab at the top of a Teams channel or chat. After pinning a “Website” instance as a tab, attackers can manipulate the tab’s name, change it to an existing tab’s name, and reposition it to push the native tab out of view and increase the chances of a user clicking the fraudulent tab, which could bring users to a malicious site.

“This could be extremely attractive for attackers, seeing as, by design, a website tab’s URL is not displayed to users unless they deliberately visit the tab’s ‘Settings’ menu,” Proofpoint researchers write in a blog post.

The website tab could also be used to point to a file that causes Teams to automatically download the file to the user’s device, potentially inserting malicious droppers inside the victim environment.

Meeting invites

Proofpoint also identifies meeting invites as another tool attackers can use, as the Microsoft Teams platform syncs with a user’s calendar to display, create and edit scheduled meetings. When a Teams meeting is created, several links are generated and sent within the meeting’s description that allow users to join the meeting or download the Teams desktop client.

Hackers typically need access to Outlook or Exchange to manipulate the content of a meeting invite, but access to a user’s Teams account allows them to manipulate the invite using Teams API calls to swap default links with malicious ones that bring users to phishing pages or malware-hosting sites, Proofpoint researchers say.

Hyperlinks in messages

If attackers have access to a user’s Microsoft Teams token, they can also use Teams’ API or user interface to weaponize existing links sent in messages by replacing benign links with malicious ones, which wouldn’t change the presented hyperlink, Proofpoint says.

“Given that Teams API allows for the rapid and automatic enumeration and editing of links included in private or group chat messages, a simple script run by attackers could weaponize countless URLs within seconds,” researchers say.

After, a threat actor can utilize social engineering and send new messages to encourage unsuspecting users to click or revisit the weaponized link.

Guidance and recommendations

According to Proofpoint, Microsoft offered the following guidance after Proofpoint researchers disclosed their research: “Microsoft encourages users to observe security best practices in Microsoft Teams and to adopt industry-standard best practices for security and data protection including embracing the Zero Trust Security model and adopting robust strategies to manage security updates, antivirus updates, and authentication. More information on Zero Trust Security is available at https://aka.ms/zerotrust.”

Read the company’s blog for more information, including recommendations on how to prevent these attacks.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Cybersecurity, Microsoft Teams, Proofpoint

Related Content:

  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Singlewire Software mass notification interview Singlewire Software on Mass Notification Solutions
  • URI catchbox 1 Catchbox Plus: The Mic Solution That Finally Gave…
  • Engaging virtual meeting with diverse participants discussing creative ideas in a bright office space during daylight hours Diversified Survey: Workplace AV Tech is Falling Short,…

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.