Breach Debrief Series: Addressing Microsoft Teams Phishing Threats

Hananel Livneh, Head of Product Marketing

AT&T Cybersecurity recently discovered phishing attacks conducted over Microsoft Teams. During a group chat, threat actors distributed malicious attachments to employees, which led to the installation of DarkGate malware on the victim’s systems. 

This attack shines a bright light on the everchanging phishing surface as it expands from email to communication applications like Teams. This blog post will shed light on the attack, draw parallels between a previously identified vulnerability, and provide actionable remediation steps to fortify your organization against threats of this nature. 

Inside the Attack 

The attackers leveraged Microsoft Teams to send over 1,000 group chat invites. Once targets accepted the invitation, they were manipulated into downloading a file containing DarkGate malware.

This attack vector exploits the default settings in Microsoft Teams, which allows external users to message other tenants’ users. The scale of this threat is significant, as Microsoft Teams’ massive user base is an attractive target for cybercriminals.  

In light of previously identified vulnerabilities and misconfigurations in Microsoft Teams, it is evident that the platform is susceptible to multiple attack vectors. One previous vulnerability involved an insecure direct object reference (IDOR), which allowed threat actors to bypass file-sharing restrictions and deliver malware directly to a target’s Teams inbox. Understanding the interconnected nature of these vulnerabilities is crucial when crafting a comprehensive security strategy.

Remediation

This vulnerability affects all organizations using Microsoft Teams in its default configuration. The following measures prevent threat actors from bypassing traditional payload delivery security controls, and mitigate the risk. These measures also help prevent the GIFShell vulnerability and the IDOR vulnerability found by Max Corbridge and Tom Ellson from JUMPSEC’s Red Team.

To fortify your organization against these phishing attacks and vulnerabilities, Adaptive Shield’s security research team recommends implementing the following remediation measures:

1. Review External Access

Assess the need for external tenants to message members of your organization. If it is not essential, disable external access in the Microsoft Teams Admins Center. Set the “Choose which external domains your users have access to” configuration to “Block all external domains. 

If external communication through Teams is required, enable access only for specific domains that regularly interact with users through Teams, to strike a balance between the organization’s communication needs and its security. 

2. Block Invitations of  External Users to Shared Channels

Shared Channel owners have the ability to invite external users to join their channel. This allows external users to read and write messages. In the Microsoft Teams Admin Center, under teams policy, toggle “Invite external users to shared channels” to off. 

Figure 1: Microsoft Teams’ Teams Policy Configurations 

3. Limit Conversation Starters

Prevent unmanaged external Teams users from initiating conversations within your organization. In the Microsoft Teams External Access configurations, disable “External users with Teams accounts not managed by an organization can contact users in my organization.” By limiting who can start conversations, you reduce the likelihood of unauthorized access and communication.

Figure 2: Microsoft Teams External Access Configurations 

4. Use Defender for Teams
Organizations that use Microsoft Defender for Office 365 can activate the Safe Attachments for Office 365 in the global settings to prevent users from inadvertently sharing malicious files in OneDrive and SharePoint+OneDrive. Once activated, Safe Attachments prevent users from opening or downloading files that are identified as malicious. 

Figure 3: Microsoft Defender detects malware files 

5. Educate Staff

Raise awareness among staff about social engineering campaigns that use productivity apps like Microsoft Teams. Emphasize that phishing attacks can take various forms beyond traditional emails. Encourage a security-conscious mindset and provide ongoing training so employees recognize and report suspicious activities.

Conclusion

As the threat landscape continues to evolve, organizations must stay proactive in securing their communication SaaS platforms. By learning from recent phishing attacks and vulnerabilities, you can bolster your defenses against cyber threats. Implementing the recommended remediation measures will contribute to a more secure Microsoft Teams environment, safeguarding your organization and its sensitive data from malicious actors. Stay informed, stay vigilant, and prioritize SaaS security to ensure the resilience of your SaaS data.

About the writer

Hananel Livneh, Head of Product Marketing

Hananel Livneh is Head of Product Marketing at Adaptive Shield. He joined Adaptive Shield from Vdoo, an embedded cybersecurity company, where he was a Senior Product Analyst. Hananel completed an MBA with honors from the OUI, and has a BA from Hebrew University in Economics, Political science and Philosophy (PPE). Oh, and he loves mountain climbing.