A vulnerability in Microsoft Teams could allow a malicious actor to steal sensitive data and access a victim’s communications, researchers have warned.
The bug, which has now been patched, allowed an attacker to steal a victim’s emails, Teams messages, and OneDrive files, as well as send emails and messages on their behalf.
It was discovered by Evan Grant, staff research engineer at Tenable, who detailed the security issue in a blog post released today (June 15).
The attack relies on a vulnerability in the Microsoft Power Apps tab. Microsoft Teams has a default feature that allows a user to launch small applications (or applets) as a tab in any team they are part of.
If that user is part of an Office 365/Teams organization with a Business Basic license or above, they also have access to a set of Teams tabs which consist of Microsoft Power Apps applications, the blog post explains.
In an unpatched version of Teams, an actor could set up a malicious tab which, when opened by the victim, would allow them access to their private documents and communications.
“Furthermore, the attacker could disguise themselves as the victim and send emails and messages on their behalf, potentially allowing them to conduct further social engineering attacks within the organization,” added Grant.
“Despite the simplicity of the bug, the attack itself is fairly complicated and requires a working knowledge of the Microsoft Power Apps and Power Automation features.”
However, Grant pointed out, the malicious actor would have to be a member of the Microsoft Teams organization that they are attacking, meaning it would only work in the context of an insider threat attack.
More technical details about the bug and a proof of concept can be found in the blog post.
Microsoft Teams users are urged to update to the latest version of the software to protect against vulnerabilities.
Implementing the correct security measures for the technical landscape of your organisation has the power to revolutionise the way your organisation works. We can implement and maintain your security measures and look for better ways to defend your system. Our success can be attributed to one thing: TRUST. Ever since our very first year in business, our clients have been happy to recommend us to other businesses, and we have grown steadily as a result of these recommendations. We can help you to truly get the most from your IT in the most secure way possible. Don’t hesitate – contact us now!
Book a no-obligation discovery call with a member of our team today by calling 0207 993 9035 or firstname.lastname@example.org