Microsoft Teams is one of the most popular corporate messaging and file storage software platforms in the world, used by over one million organizations. But, like all software, Microsoft Teams is liable to vulnerabilities that threat actors can exploit.
Just a few months ago, security researchers discovered a bug in Microsoft’s software that allowed them to communicate with Teams users in other organizations. While these researchers had no malicious intent, the very presence of the vulnerability reinforces that Microsoft Teams is not inherently secure.
Here, we’ll take a deeper look at the most pressing Microsoft Teams vulnerabilities, and offer actionable steps to help you protect your organization from compromise.
Anatomy of Microsoft Teams attacks
Microsoft Teams vulnerabilities–like all software flaws–typically occur due to developer errors made during the coding process. No piece of software is stagnant, and Microsoft regularly releases updates designed to improve the functionality and security of its software. Sometimes, these updates contain vulnerabilities that need to be patched later down the line.
The most prominent Microsoft Teams vulnerability in recent years allowed users to communicate with other Teams users from outside their organization; the perfect opening for malicious actors to send malware attachments or request sensitive information.
The security researchers developed the exploit through an insecure direct object reference (IDOR) vulnerability. This allowed them to bypass Microsoft Teams’ in-built security controls that prevent users from sending files to external tenants.
In doing this, the researchers duped Microsoft Teams into thinking they were members of the tenant’s organization, which then allowed them to send files to whoever they wanted to. This attack is very troubling within the context of phishing attachments. Should an unwitting employee receive an attachment from a person they believe to be from inside their organization, nothing is to stop them from opening it.
While you might think users will spot an unusual domain, bad actors can also register spoof domains with Microsoft 365 to reduce suspicion.
Worse still, with the use of tools like TeamPhisher, designed specifically to deliver phishing messages and attachments to Microsoft Teams users, bad actors could potentially automate this whole process. This would make it easy and quick to target unsuspecting users en masse.
At the time the vulnerability was discovered, Microsoft Teams didn’t release a patch for the weakness. Instead, the company highlighted the importance of careful configurations, noting in a Microsoft blog that this attack is “yet another reason why Microsoft 365 tenants should restrict external access to the set of domains they really want to chat with.”
Understanding the potency of the attack vector: from phishing to direct malware delivery
Despite these warnings, malicious actors successfully exploited the identified vulnerability for ransomware attacks following the publication of the security researchers’ findings.
The culprit behind these attacks is known as Storm-0324, a financially motivated group that infiltrated legitimate .onmicrosoft.com domains, commonly used as mailing domains within Microsoft 365 environments for companies lacking custom domains.
In their attack strategy, they manipulated user accounts to mirror the names of individuals within the targeted organization, often impersonating the CEO. Through these compromised accounts, they dispatched automated messages via Teams.
Upon recipient acceptance, an automated response was triggered, with the attacker’s account displaying an (External) designation next to the name. These messages were crafted with a sense of urgency and included malicious attachments, aiming to deceive recipients into opening them.
After opening the zip files, victims would encounter multiple files disguised as PDFs. Unbeknownst to them, opening one of these files initiated the download of additional malicious software, thereby introducing ransomware into the system.
These attacks represent highly sophisticated phishing schemes, catching many victims off guard due to the misconception that Microsoft Teams is impervious to such exploits. While individuals may be vigilant against phishing emails, Teams, perceived primarily as an internal communication platform, presents a more unsuspecting avenue for cybercriminals.
Following numerous organizations falling victim to this attack vector, Microsoft implemented several enhancements for mitigation, including the suspension of fraudulent accounts and the introduction of an improved accept/block feature to prompt employees before engaging with new users. Nevertheless, the reality persists that users are more prone to opening fraudulent messages within Microsoft Teams compared to email.
Mitigation strategies & protective measures
For this security flaw in particular, there is no patch coming—and that’s because Microsoft insists that, based on the cloud’s shared responsibility model, it is up to organizations to secure their users and data.
While the subject of responsibility for this flaw is contentious within the cybersecurity community, it nevertheless still persists in Microsoft Teams today, meaning it is vital for organizations to take action.
Here’s what to do.
Restrict external tenant communication
To bolster security measures, organizations can minimize their attack surface by limiting external tenants’ ability to contact employees. By limiting external communication, organizations can significantly reduce the risk of threat actors infiltrating their systems through Microsoft Teams.
Establish domain allow-listing
For companies dependent on external communication, institute a domain allow-listing policy, permitting only trusted domains to communicate via Microsoft Teams. Establish a streamlined policy for incorporating external domains into this list to ensure that all third-party organizations can be trusted.
Prioritize employee education and awareness
It’s crucial to educate employees about the potential risks associated with Microsoft Teams phishing. Instead of opting for training ‘away’ days or one-off eLearning solutions, look for innovative security awareness solutions that seamlessly integrate into Microsoft Teams, providing real-time, in-app education that empowers users to make secure decisions in the moment.
Conduct regular security audits and updates
Regular security audits are essential to ensuring all software and applications are up to date with the latest patches and security protocols. Consistent vulnerability assessments and penetration testing can pinpoint any potential weaknesses, enabling organizations to proactively address them.
Implement a layered security strategy
Bolster Microsoft Teams security by deploying complementary security integrations that enhance data protection and identity management. Tools like multi-factor authentication, data loss prevention and user behavior analytics can help companies to automate the process of discovering and mitigating malicious access attempts, even in the event that a threat actor manages to break into their Microsoft Team’s tenant.
The latest in Microsoft Teams security flaws
While this vulnerability captured the attention of the media, it is by no means the last Microsoft Teams security flaw in recent times. The second Tuesday of each month is Microsoft’s Patch Tuesday, where the company releases security fixes for discovered flaws across Microsoft Teams, 365 and so forth. These security fixes are known as Common Vulnerabilities and Exposures (CVEs).
Here is an overview of the most recent Microsoft Teams vulnerabilities Microsoft has released patches for:
- CVE-2020-10146: A vulnerability was identified within the Microsoft Teams online service, specifically in the displayName parameter. Exploitation of this stored cross-site scripting flaw on Teams clients could have led to the acquisition of sensitive data, such as authentication tokens, and potentially enabled the execution of arbitrary commands.
- CVE-2023-29328 and CVE-2023-29330: Microsoft Teams faced two vulnerabilities that posed a risk once an attacker persuades a user to participate in a Teams meeting.
- CVE-2023-4863: Another vulnerability in Microsoft Teams stemmed from a heap buffer overflow weakness within the WebP code library (libwebp). Its ramifications ranged from system crashes to the execution of arbitrary code.
- CVE-2024-21374: An excessive data output issue was identified in the Microsoft Teams application for Android. Exploiting this vulnerability, a remote attacker could deceive a user into downloading and running a specially crafted application, thereby gaining unauthorized access to sensitive system information.
The role of CVEs in tracking Microsoft Teams vulnerabilities
Despite the severity of these security flaws, Microsoft Teams is still one of the best, most secure communications platforms on the market.
All software providers will experience software vulnerabilities semi-regularly and Microsoft’s in-depth approach to patching means the provider is, for the most part, excellent at discovering and remediating security flaws before they are exploited by malicious actors.
Saying that, because of its popularity, Microsoft Teams is one of the most targeted platforms by threat actors, who will attempt to compromise user accounts either by exploiting vulnerabilities, misconfigurations on the tenant side, or human error.
That’s why it’s vital to stay abreast of the CVEs Microsoft releases every patch Tuesday. When a new vulnerability emerges and is assigned a CVE, it comes with detailed information outlining its impact, affected systems, and potential mitigation strategies. Incident response teams rely on this data to swiftly gauge the risk posed and enact appropriate measures to counter it.
A fundamental approach to achieve this is to regularly monitor CVE databases and security advisories. The MITRE Corporation oversees the official CVE database, which can be accessed via their website. Alongside this, organizations can tap into vendor-specific security advisories and industry-specific threat intelligence feeds for additional insights.
Subscribing to mailing lists or RSS feeds offering updates on the latest CVEs and security advisories is also prudent. Many organizations and security vendors furnish such services, aiding in keeping a pulse on the newest vulnerabilities and potential threats.
Furthermore, there are several tools and resources designed to facilitate staying current with CVEs and security advisories. Vulnerability management platforms, for instance, can automatically scan systems for vulnerabilities, offering real-time alerts on the discovery of new CVEs, saving security teams plenty of time that they would otherwise have to spend manually aggregating and verifying disparate data sources.
Preventive measures & best practices for elevating Microsoft Teams security
While organizations are powerless to prevent vulnerabilities from occurring in Microsoft Teams, they can bolster employee awareness, data security and identity and access management—all of which will go a long way to protect against attacks like the Microsoft Teams phishing threat.
In fact, Gartner predicts that, by 2025, 99% of cloud data breaches will be caused by misconfigurations on the customer side, meaning that vulnerabilities only really play a small role in data leakage and their associated compliance fines.
Alongside proactive vulnerability management, here’s what you can do to bolster Microsoft Teams security today.
Regularly review user permissions
The allure of Microsoft Teams lies in its seamless facilitation of collaboration among employees, clients, freelancers, and beyond. Central to deployment is ensuring that the rights individuals have appropriate access to resources. The bulk of security issues associated with MS Teams stem from misconfigurations or overly permissive privileges, so make sure to meticulously define permissions within your team.
Furthermore, the act of withdrawing access is equally pivotal to granting it. When an employee departs or a project concludes, it’s imperative to review who has access to what within Microsoft Teams—and to revoke access privileges for users when they are no longer needed, using the principle of least privilege.
Focus on real-time education & training
Although security tools and correct permissions can bolster security defenses, human error remains a significant risk. Spending millions on detection technologies can be futile if a user accidentally shares data with the wrong person.
Reducing cloud security breaches requires investing in people. Building a cyber-aware organization empowers employees to keep data safe and spot signs of compromise.
Effective training is crucial. Avoid lengthy sessions and impersonal eLearning modules. Instead, integrate security training directly into employees’ Microsoft Teams workflows with prompts and nudges to foster security-conscious decision-making.
Embrace a zero trust approach to Microsoft Teams
Zero trust architecture operates through a suite of technologies that continually monitor and authenticate users and devices. It mandates that users access only what they require and verifies the authenticity of those attempting to access corporate data. Rather than a one-time validation, it advocates for ongoing authentication of access requests.
Implementing zero trust starts with understanding your company’s user base. To enforce it effectively without impeding productivity, tools like Identity and Access Management with single sign-on should be employed. This ensures that only verified users can access corporate data and applications.
Zero trust also emphasizes that verified access doesn’t equate to complete trust. Additional measures must be taken to prevent accidental data loss or exfiltration.
Cloud-based data loss prevention (DLP) solutions offer real-time visibility into user interactions with sensitive data in platforms like Microsoft Teams. These solutions employ predefined policies and contextually aware algorithms to thwart risky data sharing and exfiltration.
Future outlook: enhancing security in Microsoft Teams
As a leading software company, Microsoft employs a ‘growth mindset’ approach to vulnerability management. The organization has proven to constantly learn from its mistakes, and enhance its platform’s security each time there is word of a dangerous vulnerability.
With the advent of generative AI, Microsoft is also bolstering its security offering through Microsoft Security Copilot, designed to help organizations streamline and simplify the process of managing user permissions and devices.
Still, many organizations are waking up to the fact that, while Microsoft is an excellent collaboration tool provider, it is vital to harness specialist security tools like next-generation DLP to elevate cybersecurity resilience in Microsoft Teams. Such tools help to ensure that, even if Microsoft Teams experiences a security flaw, your organization’s data and users will remain secure.
Here are some leading resources to help you establish policies and controls to enhance Microsoft Teams security:
- Microsoft’s security best practices for Microsoft Teams
- Polymer DLP’s product overview of data protection in Microsoft Teams
- GitHub’s guide to governing access in Microsoft Teams
- Polymer’s blog on the cloud shared responsibility model and Microsoft Teams
Conclusion
Ultimately, understanding and addressing vulnerabilities in Microsoft Teams is paramount for organizations aiming to fortify their cybersecurity posture. While the platform offers exceptional collaboration capabilities, it’s not immune to exploitation by malicious actors seeking to infiltrate sensitive data or execute nefarious attacks.
To safeguard against these threats, organizations must adopt a multifaceted approach that encompasses proactive measures such as restricting external communication, establishing domain allow-listing policies, prioritizing employee education, conducting regular security audits, and implementing a layered security strategy.
Moreover, embracing a zero trust mindset is instrumental in ensuring that access to corporate data remains secure, irrespective of user location or device. Indeed, organizations must remember that the number one risk factor for data breaches is not platform vulnerabilities, but human error.
A zero trust architecture, coupled with cloud-based data loss prevention solutions, offers a robust defense mechanism against this threat, which is the most potent Microsoft Teams risk of them all: unauthorized data sharing or exfiltration.
FAQs on Microsoft Teams Security
- Is Microsoft Teams a security risk? Like all software, Microsoft Teams is a potential security risk to organizations. To mitigate the risks of compromise or data leakage, deploy a proactive vulnerability management program, combined with a layered security approach for the application.
- What are the major Microsoft vulnerabilities? The most major Microsoft Teams vulnerability in recent times is a flaw in Microsoft’s software that allowed third parties to communicate with Teams users in other organizations. The weakness allowed threat actors to masquerade as their victim’s employers and share malicious attachments containing malware.
- What is the MSFT team vulnerability? A vulnerability was discovered in Microsoft Teams that enabled threat actors to communicate with employees at targeted organizations, pretending to be executives or line managers.
- What are the famous Microsoft vulnerabilities? The most famous Microsoft vulnerabilities are the WannaCry and NotPetya flaws of 2017. Both vulnerabilities have now been fixed.
