Pictured: a building at Microsoft Corporation headquarters in Redmond, Washington. (Coolcaesar/CC BY-SA 4.0via Wikimedia Commons)

Microsoft Teams is prone to the same phishing hazards, impersonation scams and privacy violations as email is, yet many users naïvely treat this and other workplace communications platforms with inherent trust. As a result, they often share sensitive information too freely or click links and open attachments that in an email they might ignore, warns a new report.

Over the past year, the rapid adoption and increased usage of platforms such as Teams, Slack or Google Hangouts due to COVID-19 has only increased the likelihood that a growing number of cybercriminals will try to take advantage of this misplaced trust.

“As workers move away from email and use messaging platforms… malicious actors have followed them. With a lack of training and awareness of risks, users are willing to share more on business messaging platforms, as they think other users can be trusted,” said Chris Hazelton, director of security solutions at Lookout.

Consequently, it is up to employers to ensure that their workers are properly trained in the responsible usage of these applications.

Released today, the Microsoft Teams Security Report was authored by cloud email security company Avanan, a Microsoft partner that analyzed nearly 200 enterprise customers over a two-month span in a quest to seek out vulnerabilities, exploits and attacks related to Teams usage.

Gil Friedrich, CEO of Avanan

Gil Friedrich, CEO of Avanan, told SC Media in an interview that when adversaries target prospective victims, there is a notable difference between email and Teams. With email, anyone can directly reach out to any known email addresses of choice, but a Teams message requires that the sender and recipient are part of the same group account or channel. But users shouldn’t assume this makes them safe, as this is not as great of an obstacle as it appears.

The problem is that group accounts can quickly become large and unwieldly with multiple third-party partners all on the same channel. And if just one user among these partners is compromised and ultimately impersonated, then all members of that channel can potentially be tricked.

“And so you should be more careful in those environments with data you share as well as that with the things you download, etc., because you can’t really control the security of your partners,” said Friedrich to SC Media.

Indeed, one of the most significant discoveries by Avanan researchers was an actual malware attack directed against an unnamed financial firm that was working with a third-party partner organization with whom it communicated via a shared Teams channel. Apparently, the partner had one of its accounts compromised for a year.

Cleverly, the malicious actors didn’t immediately force the issue and attack. Instead, they performed reconnaissance, collected intel and strategically waited for an organic opportunity to send a malicious file. Only after the hackers observed a request for files, did they strike, sending a malicious zip file that purportedly contained the requested documents. In reality, the zip file actually included a Remote Access Trojan that enables desktop monitoring and control.

“In order to evade detection in this new medium, hackers would rather wait for when they can make the biggest impact with the least possible detection,” the report says. For that reason, a Teams-based phishing campaign might exhibit more strategic patience on the part of the attacker than an email-based phishing campaign.

Friedrich said that Avanan blocked the attack, and the financial firm at least temporarily expelled outside organizations from its Teams channel, limiting it to internal communications.

But how was the initial third-party compromise accomplished in the first place? According to the report, there are various ways to hijack or steal one’s Team account credentials. For starters, Teams uses the same credentials as Microsoft 365. So if someone’s Microsoft 365 credentials are stolen, so are his or her Teams credentials. Additionally, Avanan uncovered a viral malicious GIF image of a cat that was uploaded to Teams and shared with users. Clicking on it would allow malicious hackers to harvest a user’s session token, and then impersonate that individual. This attack method was originally discovered by CyberArk researchers, who reported their findings last April.

The Avanan report also notes how some organizations allow external users to join a group and create an account using any random identity and photo they so choose – a feature that could result in an impersonation scam. Indeed, the aforementioned financial institution attackers leveraged this very feature, disguising themselves as a legitimate user.

Importantly, the study also noted that Teams users can pose a danger to themselves even without the interference of an attacker. For instance, some users share highly sensitive data via Teams with users who are both inside and outside of their immediate organizations – thereby running the risk of data loss or even privacy violations.

“Users may assume that others in a group can be trusted, believing users are vetted before being added. This can lead to leakage of corporate data that would not otherwise be shared,” said Hazelton.

“Teams [the product]… has the inherent ability to mislead users that all others are on the same side. The psychology of information security plays a role here,” said Mark Kedgley, chief technology officer at New Net Technologies. “Collaboration requires a certain level of trust, which is often established by management directives (‘We are going to cooperate with company XYZ; the NDA is already in place’), which adds to the misleading. The need to differentiate between each business partnership and what kind of information can be shared is also often diminished as staff is not properly trained.”

In one case, a hospital customer of Avanan that uses Teams was found to liberally share patients’ medical information with hundreds of end users via the platform. “Medical staff generally know the security rules and risk of sharing information via email, but ignore those when it comes to Teams. In their mind, everything can be sent,” the report states.

For example, “medical information, procedures and family circumstances of a minor, was shared together with her name and social security number,” the report says. And while the use of Teams might help doctors communicate quickly to make life-saving decisions, it still shows they may need more guidance on use of the platform.

“When companies use Teams, they assume it is internal and unmonitored. Accordingly, the end-user behavior we identified during this analysis observed free sharing of all data. End-users freely share files, data, spreadsheets and sensitive information, often without thinking,” the report says. “There’s something very casual, almost instantaneous” about many of these conversations, said Friedrich.

Original cartoon courtesy of Avanan.

Indeed, Teams is built for quick communication among parties with a shared interest. Because of that, links in chats are not scanned. Files are scanned as they’re saved to OneDrive, but only for known malware signatures and not in real time – so in that sense it’s easier to sneak in malware undetected. (Adding Microsoft ATP protection helps, though this too can be bypassed by determined attackers.) “The way around it is to educate your users to be more careful with that content and just to know that this is how this platform behaves,” explained Friedrich.

Malware, impersonation and lateral attackers were identified as the most popular threats affecting Teams users. Additionally, Avanan researchers foundation a zero-click cross-site scripting vulnerability that Microsoft repaired last December. In addition to better training and education, experts had suggestions for how companies can reduce the risk of such threats.

“More focus on least privilege is needed as it’s still too common for users to run with local admin rights,” said Kedgley. Additionally, organizations should follow “config hardening guidance from the CIS or STIG playbooks.” Email and office applications provide a whole bunch of hardened settings to combat malware and phishing, but too few organizations make use of them. Change control and vulnerability management as core security controls should be in place as well.

“Organizations need to add security in the cloud and across all the endpoints: laptops, phones, and tablets – wherever these conversations are taking place,” said Hazelton. “This will allow organizations to identify phishing attacks as they happen, and quickly react when malware is introduced through a messaging platform.”

Friedrich said Microsoft was a cooperative partner throughout the study. “They have all the interest to make [Teams] as secure as possible for their customers. So we got a lot of support from from their engineering team,” including having advanced access to the Teams API.

SC Media reached out to Microsoft and a spokesperson provided the following response: “The issues mentioned in [the Avanan] article were addressed by our teams last year. We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files or accepting file transfers. For more information on staying protected, please visit: https://www.microsoft.com/en-us/digital-skills/online-safety-resources.”