With organisations increasingly adopting cloud-based services and applications, especially collaboration tools, attackers have pivoted their attacks as well. Microsoft services consistently rank at the top of statistics when it comes to malicious sign-in attempts, and Microsoft Teams is one application that recently seems to have attracted attackers' interest.
Researchers from security firm Proofpoint investigated how attackers could abuse access to a Teams account and found some interesting attack vectors that could allow hackers to move laterally by launching further phishing attacks or getting users to download malicious files.
"Our analysis of past attacks and ongoing trends within the dynamic cloud threat landscape indicates that attackers progressively pivot to more advanced attack vectors," the Proofpoint researchers said in their report. "The adoption of new attack techniques and tools, when combined with apparent security flaws, including dangerous functionalities in first-party apps, exposes organisations to a variety of critical risks."
Post-compromise lateral movement
According to Proofpoint's data, around 40% of organisations that are Microsoft 365 cloud tenants have had at least one unauthorised login attempt trying to gain access to a user account via Microsoft Teams in the second half of 2022 using either the web or desktop clients.
While this is lower compared to the number of organisations that saw malicious login attempts on their Azure Portal or Office 365 accounts in general, it's still significant enough to suggest attackers are taking an interest in Microsoft Teams specifically.
Access can be gained to a Teams account either through an API token, with credentials or an active session cookie, but once inside attackers will likely want to expand their access to other services or target other users.
The Proofpoint researchers found undocumented API calls that allow Teams users to rearrange the tabs displayed at the top of their channels or group conversations and which everyone can see. This list can include other Office 365 applications for easy access, but Microsoft also allows users to pin a tab called "Website" that can be customised to load a secure remote website into a tab inside the Teams client.
"This new tab could be used to point to a malicious site, such as a credential phishing webpage posing as a Microsoft 365 sign-in page," the Proofpoint researchers said. "This could be extremely attractive for attackers, seeing as, by design, a website tab’s URL is not displayed to users unless they deliberately visit the tab’s ‘Settings’ menu."
Moreover, using the undocumented API calls, an attacker with access to a Teams account could rename the new malicious "Website" that points to a phishing page similar to a tab that already exists and then reorder tabs to push the original one out of view.
This means that users used to click on the usual tab might now end up on a page that asks them to reauthenticate into their Microsoft 365 account, which might not raise suspicion, especially since they can't see the site's URL and the page is displayed within a Microsoft application they trust.
Another way to abuse this feature is to point the Website-type tab to a remotely hosted file in which case the Teams client will automatically download the file to the user's computer when clicked. This could allow attackers to get their malware droppers onto other systems and networks.
Another Teams API feature that the Proofpoint researchers found is that it allows users to modify the URLs sent inside meeting invites generated from a Teams account.
"Whereas usually an attacker would need access to Outlook or Microsoft Exchange in order to manipulate the content of a meeting invite, once attackers gain access to a user’s Teams account, they can manipulate meeting invites using Teams API calls, swapping benign default links with malicious ones," the researchers said.
The malicious links that recipients are likely to trust as they come included in a Teams-generated invite can similarly lead to fake Microsoft 365 login pages designed to harvest credentials or to pages that prompt users to download a file masquerading as a Teams update or installer.
Link swapping can also be done within existing chats since Teams allows users to edit their past messages and change the links. This functionality is available both through the client or the API and attackers could make automated scripts that replace all links from existing chats within seconds.
"Subsequently, a sophisticated threat actor might utilise social engineering techniques and send new messages, encouraging unsuspecting users to click (or “re-visit”) the edited, and now weaponised, link," the Proofpoint researchers said.
While all these attack techniques require attackers to already have access to a compromised account, it's important for organisations to always consider lateral movement opportunities since this is a common occurrence in all modern attacks. Attackers will rarely just stop at one compromised account or system once they gain a foothold inside an organisation's networks or infrastructure.
How to mitigate lateral movement risk via Teams
According to Proofpoint's data, around two in three Microsoft 365 tenants suffered at least one successful account takeover incident last year. The company advises organisations to:
- Educate users to be aware of these risks when using Microsoft Teams.
- Identify attackers accessing Teams within your cloud environment. This requires accurate and timely detection of the initial account compromise, and the visibility into the impacted sign-in application.
- Isolate potentially malicious sessions initiated by links embedded in Teams messages.
- If you’re facing targeting attempts on a regular basis, consider limiting usage of Microsoft Teams in your cloud environment.
- Make sure your Teams service is internal only if possible and not exposed to communication with other organisations.