Microsoft Teams: Lateral movement abuse exposed
May 18th, 2023 - Written By CyberLabs
Researchers from the security company Proofpoint looked into the potential misuse of a Teams account by attackers and discovered some intriguing attack paths that might let criminals advance by launching more phishing attempts or tricking users into downloading harmful files.
“ Proofpoint’s threat researchers recently analyzed over 450 million malicious sessions, detected throughout the second half of 2022 and targeting Microsoft 365 cloud tenants.”
“According to our findings, Microsoft Teams is one of the ten most targeted sign-in applications, with nearly 40% of targeted organizations having at least one unauthorized login attempt trying to gain access” the company said in a blog post
Teams accounts can be accessed via an API token, login credentials, or an active session cookie, but once inside, attackers will probably want to utilize the account to access more services or target other users.
The Teams users can reorder the tabs that are visible to everyone at the top of their channels or group talks thanks to undocumented API calls discovered by the Proofpoint researchers.
Microsoft also allows users to pin a tab called “Website” that may be configured to load a secure remote website into a tab inside the Teams client. This list can also contain other Office 365 applications for quick access.
The company advises organizations to:
- Educate users to be aware of these risks when using Microsoft Teams.
- Identify attackers accessing Teams within your cloud environment. This requires accurate and timely detection of the initial account compromise, and the visibility into the impacted sign-in application.
- Isolate potentially malicious sessions initiated by links embedded in Teams messages.
- If you’re facing targeting attempts on a regular basis, consider limiting usage of Microsoft Teams in your cloud environment.
- Make sure your Teams service is internal only if possible and not exposed to communication with other organizations.