It is common knowledge that Azure, PowerShell, Exchange and other Microsoft Tools and services are popular targets of threat actors, but Microsoft Teams is emerging as one of the most targeted Microsoft applications for attackers. According to enterprise security firm Proofpoint, Microsoft Teams is now one of the 10 most targeted sign-in applications, with nearly 40% of targeted organizations having at least one unauthorized login attempt trying to gain access.
Proofpoint’s data comes from an analysis of over 450 million malicious sessions detected throughout the second half of 2022 targeting Microsoft 365 cloud tenants. While Microsoft Teams is last on the list, it’s presence on the list alone signifies how attackers are pivoting to target heavily used applications on which many organizations rely to support hybrid work models.
The company says its researchers have discovered several new ways that attackers are using Microsoft Teams for malicious purposes, including using tabs for phishing users and instant malware downloads, and weaponizing meeting invites and messages via malicious links.
These actions essentially allow threat actors to conduct Microsoft 365 credential attacks, deliver malware and maintain persistence in a victim’s cloud environment.
According to Proofpoint, researchers have discovered that using undocumented Microsoft Teams API calls, tabs can be reordered and renamed so the original tab can be swapped with a new custom tab. The company says manipulating tabs “could be part of a potent and largely automated attack vector” following an account compromise.
Attackers could also use a native app, “Website,” to pin a chosen website as a tab at the top of a Teams channel or chat. After pinning a “Website” instance as a tab, attackers can manipulate the tab’s name, change it to an existing tab’s name, and reposition it to push the native tab out of view and increase the chances of a user clicking the fraudulent tab, which could bring users to a malicious site.
“This could be extremely attractive for attackers, seeing as, by design, a website tab’s URL is not displayed to users unless they deliberately visit the tab’s ‘Settings’ menu,” Proofpoint researchers write in a blog post.
The website tab could also be used to point to a file that causes Teams to automatically download the file to the user’s device, potentially inserting malicious droppers inside the victim environment.
Proofpoint also identifies meeting invites as another tool attackers can use, as the Microsoft Teams platform syncs with a user’s calendar to display, create and edit scheduled meetings. When a Teams meeting is created, several links are generated and sent within the meeting’s description that allow users to join the meeting or download the Teams desktop client.
Hackers typically need access to Outlook or Exchange to manipulate the content of a meeting invite, but access to a user’s Teams account allows them to manipulate the invite using Teams API calls to swap default links with malicious ones that bring users to phishing pages or malware-hosting sites, Proofpoint researchers say.
Hyperlinks in messages
If attackers have access to a user’s Microsoft Teams token, they can also use Teams’ API or user interface to weaponize existing links sent in messages by replacing benign links with malicious ones, which wouldn’t change the presented hyperlink, Proofpoint says.
“Given that Teams API allows for the rapid and automatic enumeration and editing of links included in private or group chat messages, a simple script run by attackers could weaponize countless URLs within seconds,” researchers say.
After, a threat actor can utilize social engineering and send new messages to encourage unsuspecting users to click or revisit the weaponized link.
Guidance and recommendations
According to Proofpoint, Microsoft offered the following guidance after Proofpoint researchers disclosed their research: “Microsoft encourages users to observe security best practices in Microsoft Teams and to adopt industry-standard best practices for security and data protection including embracing the Zero Trust Security model and adopting robust strategies to manage security updates, antivirus updates, and authentication. More information on Zero Trust Security is available at https://aka.ms/zerotrust.”
Read the company’s blog for more information, including recommendations on how to prevent these attacks.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!