New ways to abuse Microsoft Teams, some of them via leveraging undocumented API calls – have demonstrated the need for more comprehensive security awareness training.
In a blog post May 17, Proofpoint security researchers David Krispin and Ellion Bendet write that some of these new techniques include weaponizing meeting invites by replacing default URLs with malicious links, or weaponizing messages by replacing existing URLs.
Threat actors are also leveraging account compromise and impersonation and manipulation techniques across Teams, such as using tabs to phish users or entice them to download malware. By using undocumented Teams API calls, threat actors can reorder and rename tabs so that the original tab gets swapped with a new custom tab.
Hackers can leverage this “seemingly benign” feature by using a native app such as “Website,” which lets users pin a chosen website as a tab at the top of a Teams channel or chat. Once they pin a “Website” instance as a tab, an attacker can manipulate the tab’s name, changing it to an existing tab’s name, and then repositioning it.
This effectively allows the attackers to push the native tab out of view and increases the chances a user will click instead on a fraudulent tab, one that points to a malicious site, that can pose as a Microsoft 365 sign-in page and phish for credentials.
“Although browser security best practices educate users to closely examine key indicators such as the URL bar and to not click on suspicious links, in this case all those instructions are irrelevant, as Teams does not provide a visible URL bar,” said Krisin and Bendet. “Therefore, unsuspecting victims are unlikely to notice that the web page they access is, in fact, malicious.”
An industry-wide move towards API-first design means they have become embedded in almost every aspect of modern web and mobile application user interfaces and underlying functionality. Nick Rago, Field CTO at Salt Security, said business logic flaws, such as the ones found in the Microsoft Teams tab functionality, often get overlooked and are hard to flush out, making them a prime attack surface for adversaries to prey on.
“This incident reinforces why organizations require runtime insights to continuously monitor their APIs,” said Rago. “Runtime visibility provides a red flag to anomalous behaviors, so organizations can quickly detect new threats and more effectively defend against attacks.”
Stephen Gates, principal security subject matter expert at Horizon3.ai, added that APIs are often the weakest link in the chain of unknown risks in the software lifecycle. Developers don’t always understand the hazards associated with APIs since they are usually different than other types of programming, and with the growth of cloud-based microservices, API usage has grown by leaps and bounds.
“Even worse, the issues with shadow APIs - the ones no one knows about - and zombie APIs - the ones yet to be decommissioned - often provide doorways into well-known applications,” said Gates. “These APIs are often not being tracked, they are on no one’s radar, and if they were exploited, no one would likely detect it.
Georgia Weidman, security architect at Zimperium, added that organizations tend to limit their security awareness training and phishing simulations and protections to email. However, in the real-world, attackers can and are using any mechanism they can to deliver phishing attacks. Because of a lack of training and awareness, mobile vectors such as SMS and NFC, social media platforms Facebook and Twitter, and enterprise collaboration suites such as Microsoft Teams and Zoom are fertile grounds for phishing attacks to succeed.
