Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Dark Reading
Dark Reading
Sponsored Article

The Insecure State of Microsoft Teams Security

Microsoft Teams has quickly become the go-to application for remote work, accelerating dramatically in usage over the last year. Despite inherent trust, hacking activity in Teams is apparent, and businesses that use Teams need to secure it from DLP, malicious files and links, protecting it in a similar way they secure email.

As firms and workers across the globe went remote, Microsoft Teams saw the bulk of growth for chat and collaboration.

That growth of Microsoft Teams has been exponential and stunning. Teams usage in December 2020 is estimated to be 115 million daily users, growing from 32 million in early March 2020. After what appeared to be an early pandemic rivalry with Slack, Teams quickly became the de facto communication and collaboration app for anyone using Microsoft 365. According to an Avanan analysis, as of December 2020, only one in four users within an organization that has Microsoft 365 will actually use Teams on a daily basis, and therefore our assumption is that the major adoption of this platform within Microsoft 365 customers still has a lot of adoption ahead of it.

The success of Microsoft Teams has also made it ripe for hackers. In fact, as this year of explosive growth comes to an end, we've begun to see and learn how hackers are targeting this platform for data, personal and corporate information, and as a jump-board for other attacks.

Avanan analyzed nearly 200 enterprise customers for two months. In doing so, we were able to uncover current hacking activities and trends in Teams, as well as assess the overall cybersecurity risk involved in using the service.

The first and perhaps most important thing to know about Microsoft Teams is that, by default, it is not protected:

  • With one click, sensitive information can be forwarded outside the organization, either by user error, insider threat or hackers that compromised an account.
  • External members might be added to a channel and team members may not realize that there are external members on a certain channel, and share proprietary or confidential information.
  • Compromised partner's accounts could be used by hackers to attack the organization's end-users, while the organization has no control over the security of their partner.
  • Channels created by partners do not allow visibility to the organization's channel, via admin or API. Accordingly, the company cannot know what has been shared on these channels and the data goes unaudited.
  • End-users' generally share anything in Teams, including sensitive information, because they assume that unlike email it is not monitored or archived.

Also, Microsoft Teams, by default, does not provide effective security for malicious content:

  • Links in the chat are not scanned at all.
  • Files are scanned, but not instantly and only for basic issues. That means that malware can sit in the chat for hours at a time

As hackers discovered this, they've begun to target Teams. In general, they've taken advantage of two main things:

  • Starting from an email-compromised Microsoft 365 account. The same credentials that are used to log into Microsoft email is used to login into Teams. Hackers have spent years compromising Microsoft 365 accounts using traditional phishing methods. Once they have those credentials, they can—and will— walk right into Teams.
  • Leveraging the inherent trust end users put in Teams. There's no reason to think that someone isn't who they say they are. Users respond freely to messages, click links and download shared files without a second thought.

To combat this, an ideal solution for Teams will actively scan the content for malicious files and links, identifying them in real time and tombstoning them as necessary. Additionally, it should detect compromised accounts, insider threats and unsecured configurations to preempt potential compromise before a threat materializes.

Finally, the content should be scanned for sensitive information, messages or files, and once detected that content should be quarantined with the option to trigger a workflow to release from quarantine. Once users know they are monitored, they generally change their behavior and act more responsibly.

In conclusion, business is being conducted on Microsoft Teams. Chat, video-conferencing, file sharing— it’s all on Teams. While initially it is primarily designed for internal to internal communication, more and more organizations also use it for communication with their partners. As it continues to become a part of everyday life, hackers are finding more ways to infiltrate it. Accordingly, companies should scan Teams content for malicious links and files, DLP and insider threats.

The best way to think of this problem is to expand from email security to all lines of communication and adopt a whole-of-business security, protecting every application where business is conducted.


About the Author:

Gil Friedrich

Gil Friedrich is the CEO and co-founder of Avanan, the Cloud Security Platform, that helps organizations secure their SaaS email and collaboration suites, and was named by Deloitte as the fastest growing email security company on the market. He brings almost 20 years of development and leadership experience to Avanan, including serving as ForeScout’s VP of R&D and VP of Technology. Gil holds a B.Sc in Physics and an M.Sc in Computer Science from Tel-Aviv University.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/29/2021 | 1:50:36 PM
MS Teams Security - Suggestions
Do you have suggestions for tools that can be used to address thesse concerns?

Thank you, 
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions <...
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to to plant custom binaries and execute them with System permissions. Exploitation of this issue requires user interaction.
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links. An unauthenticated attacker could exploit this to elevate privileges in the context of the current user.
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to rewrite the file of the administrator, which may lead to elevated permissions. Exploitation of this issue requires user interaction.
PUBLISHED: 2021-04-16
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.