• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News, Unified Communications

Research: Microsoft Teams Can Be Used for Malware Delivery

Microsoft Teams is now one of the 10 most targeted sign-in applications in Microsoft 365 and can be abused by attackers, Proofpoint says.

May 18, 2023 Zachary Comeau Leave a Comment

Microsoft Teams attack
stock.adobe.com/Postmodern Studio

It is common knowledge that Azure, PowerShell, Exchange and other Microsoft Tools and services are popular targets of threat actors, but Microsoft Teams is emerging as one of the most targeted Microsoft applications for attackers. According to enterprise security firm Proofpoint, Microsoft Teams is now one of the 10 most targeted sign-in applications, with nearly 40% of targeted organizations having at least one unauthorized login attempt trying to gain access.

Proofpoint’s data comes from an analysis of over 450 million malicious sessions detected throughout the second half of 2022 targeting Microsoft 365 cloud tenants. While Microsoft Teams is last on the list, it’s presence on the list alone signifies how attackers are pivoting to target heavily used applications on which many organizations rely to support hybrid work models.

The company says its researchers have discovered several new ways that attackers are using Microsoft Teams for malicious purposes, including using tabs for phishing users and instant malware downloads, and weaponizing meeting invites and messages via malicious links.

These actions essentially allow threat actors to conduct Microsoft 365 credential attacks, deliver malware and maintain persistence in a victim’s cloud environment.

Malicious tabs

According to Proofpoint, researchers have discovered that using undocumented Microsoft Teams API calls, tabs can be reordered and renamed so the original tab can be swapped with a new custom tab. The company says manipulating tabs “could be part of a potent and largely automated attack vector” following an account compromise.

Attackers could also use a native app, “Website,” to pin a chosen website as a tab at the top of a Teams channel or chat. After pinning a “Website” instance as a tab, attackers can manipulate the tab’s name, change it to an existing tab’s name, and reposition it to push the native tab out of view and increase the chances of a user clicking the fraudulent tab, which could bring users to a malicious site.

“This could be extremely attractive for attackers, seeing as, by design, a website tab’s URL is not displayed to users unless they deliberately visit the tab’s ‘Settings’ menu,” Proofpoint researchers write in a blog post.

The website tab could also be used to point to a file that causes Teams to automatically download the file to the user’s device, potentially inserting malicious droppers inside the victim environment.

Meeting invites

Proofpoint also identifies meeting invites as another tool attackers can use, as the Microsoft Teams platform syncs with a user’s calendar to display, create and edit scheduled meetings. When a Teams meeting is created, several links are generated and sent within the meeting’s description that allow users to join the meeting or download the Teams desktop client.

Hackers typically need access to Outlook or Exchange to manipulate the content of a meeting invite, but access to a user’s Teams account allows them to manipulate the invite using Teams API calls to swap default links with malicious ones that bring users to phishing pages or malware-hosting sites, Proofpoint researchers say.

Hyperlinks in messages

If attackers have access to a user’s Microsoft Teams token, they can also use Teams’ API or user interface to weaponize existing links sent in messages by replacing benign links with malicious ones, which wouldn’t change the presented hyperlink, Proofpoint says.

“Given that Teams API allows for the rapid and automatic enumeration and editing of links included in private or group chat messages, a simple script run by attackers could weaponize countless URLs within seconds,” researchers say.

After, a threat actor can utilize social engineering and send new messages to encourage unsuspecting users to click or revisit the weaponized link.

Guidance and recommendations

According to Proofpoint, Microsoft offered the following guidance after Proofpoint researchers disclosed their research: “Microsoft encourages users to observe security best practices in Microsoft Teams and to adopt industry-standard best practices for security and data protection including embracing the Zero Trust Security model and adopting robust strategies to manage security updates, antivirus updates, and authentication. More information on Zero Trust Security is available at https://aka.ms/zerotrust.”

Read the company’s blog for more information, including recommendations on how to prevent these attacks.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Cybersecurity, Microsoft Teams, Proofpoint

Related Content:

  • Cisco Live 2023 Cisco Live 2023: Simplified Management, Enhanced Security, AI
  • Phishing, Email security Email Attacks are Evading Security Protections. Here’s How…
  • MOVEit, ransomware, CVE-2023-34362, Ransomware Groups Confirmed to be Exploiting MOVEit Bug
  • Shure Stem Ecosystem Shure: Democratizing Conferencing Hardware With The Stem Ecosystem

Free downloadable guide you may like:

  • Download TechDecisions' Blueprint Series report on Security Awareness now!Blueprint Series: Why Your Security Awareness Program is Probably Falling Short

    Learn about the evolution of phishing attacks and best practices for security awareness programs to ensure your organization is properly prepared to defend against them in this report from TechDecisions' Blueprint Series.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Download TechDecisions' Blueprint Series report on Security Awareness now!
Blueprint Series: Why Your Security Awareness Program is Probably Falling Short

Learn about the evolution of phishing attacks and best practices for security awareness programs to ensure your organization is properly prepared t...

Workplace Collaboration Tools for Corporate Spaces
Workplace Collaboration Tools for Corporate Spaces

From lobbies and shared spaces to conference rooms and multipurpose facilities, you need high-performing AV technology to effectively share informa...

ChatGPT, generative AI, enterprise, workplace
Blueprint Series: ChatGPT and Generative AI in the Workplace

This latest release of the TechDecisions Blueprint Series explores the new phenomenon of tools such as ChatGPT and how IT leaders should go about d...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.