The threat would have been an easy ‘in’ for attackers along with extended access to emails, messages, and personal files, researchers say. Microsoft recently patched a security flaw found in its team collaboration app, Microsoft Teams. According to a blog post by the research firm Tenable, the vulnerability in Microsoft Teams would have enabled cyber attackers to obtain sensitive data and lend them access to private Microsoft Teams communications.
The team collaboration app has skyrocketed in usage, namely as trends like remote/homeworking show no sign of slowing down. Today, Microsoft Teams has over 145 million daily active users who flock to the platform. That is, as of April 2021 – a number that’s seen steady growth throughout the pandemic.
Tenable Research, Staff Engineer Evan Grant, sounding the alarm in the post, prompted the Washington State-based tech firm; to hastily patch the security flaw back in April. As reports of the incident are starting to surface, we want to bring the details to light.
The threat could have extended access to emails, Microsoft Teams messages, and OneDrive files. It could have also very well let cyber attackers send emails and messages from hijacked Microsoft Teams accounts.
What is the big deal if the problem got fixed?
Microsoft has long touted the might of its Microsoft Power Apps, a default that enables users to launch apps as a tab in any team they exist in, within the Microsoft Teams collaboration app. Yet this most recent exposure merely shines a light on the nature of threats that do exist for Office 365/Teams users, the ones who gain access to Power Apps with a Business Basic license or above.
The low/no-code platform, designed for rapid app development gives users access to a set of Teams tabs made up of Microsoft Power Apps applications. Enter the possibility of intrusion – which relies on exposing a vulnerability in the Microsoft Power Apps tab. This is not the first, nor will it be the last threat found, bringing me to another point. This is concerning, and experts tend to agree. In that same blog post, Grant wrote:
“Such a small initial bug (the improper validation of the make.powerapps.com domain) could get traded up until an attacker exfiltrates emails, Teams messages, OneDrive, and SharePoint files. This is (definitely) concerning.”
He further noted that it could mean that even a ‘small’ bug in a not-so-common service like Microsoft Power Apps could very well lead to the compromise of many other services. “This could happen by way of token bundles and first-party logins for connectors,” Grant concluded – meaning that a seemingly trivial threat might lead to a cantankerous outcome.
An expert take
Researchers did, however, point out that any potential bad actor would have to be a member of the Microsoft Teams organization they wanted to infiltrate. I reached out to Mattias Holmberg, Product Manager, Soluno, who told GetVoIP News in a recent interview:
“Even though it would have required an elaborate process to take advantage of the vulnerability, the actual cause is a glaring oversight, something that raises the question: Were corners cut to keep up with demand?”
Soluno BC has a strong partnership with Microsoft Teams, and back in 2019, the Swedish UCaaS provider launched a new MS Teams integration, news I covered at the time. It combines PBX functionality with the collaboration might of Microsoft Teams. He said that Soluno’s integration, “Teams Telephony,” extends the most common PBX functionality, directly into the Teams interface.
“Here you can call, both internal and external contacts, see presence and line state. You can even select your caller ID, send texts, log in/out of ADC groups, and listen to voice mails.” After all, the whole point of Microsoft Temas is to make the workday easier and more efficient for end-users, not the opposite.
Holmberg’s advice to IT professionals and those managing tech stacks? He recommends that companies make use of the permission policies in Teams to ensure that only trusted and verified applications get installed by the users.
Social engineering attacks, on the rise
The number of social engineering attacks is on the rise, and that comes with its own set of implications. For starters, there is the potential for direct financial loss, recovery costs, lost productivity, disruption of business, and reputation management.
This adds up to pretty hefty dough, according to the Federal Bureau of Investigation’s Internet Crime Complaint Center. The organization recently released its annual report. The 2020 Internet Crime Report consists of 791,790 charges of suspected internet crimes, with the organization noting an increase of more than 300,000 complaints from 2019.
In total, losses exceeded $4.2 billion in 2020, with the top three crimes reported by victims in 2020 being phishing scams, non-payment/non-delivery scams, and extortion. What is paramount to note is that the report specifies that most of that figure exists largely thanks to a rise in business email compromise scams.
Capitalizing on the COVID-19 pandemic – the FBI’s report also highlights that 2020 brought on the evolution of fresh scams, having received over 28,500 new complaints related to COVID-19. And fraudsters did not discriminate, as they often targeted both businesses and individuals, the report found.
Update: At 2:00 AM EST, a Microsoft spokesperson sent us a comment regarding the MS Teams system exposure: “We are aware of the report and can confirm an update was released in April,” according to the company.