The Insecure State of Microsoft Teams Security

Microsoft Teams has quickly become the go-to application for remote work, accelerating dramatically in usage over the last year. Despite inherent trust, hacking activity in Teams is apparent, and businesses that use Teams need to secure it from DLP, malicious files and links, protecting it in a similar way they secure email.

Dark Reading Staff, Dark Reading

January 18, 2021

4 Min Read

As firms and workers across the globe went remote, Microsoft Teams saw the bulk of growth for chat and collaboration.

That growth of Microsoft Teams has been exponential and stunning. Teams usage in December 2020 is estimated to be 115 million daily users, growing from 32 million in early March 2020. After what appeared to be an early pandemic rivalry with Slack, Teams quickly became the de facto communication and collaboration app for anyone using Microsoft 365. According to an Avanan analysis, as of December 2020, only one in four users within an organization that has Microsoft 365 will actually use Teams on a daily basis, and therefore our assumption is that the major adoption of this platform within Microsoft 365 customers still has a lot of adoption ahead of it.

The success of Microsoft Teams has also made it ripe for hackers. In fact, as this year of explosive growth comes to an end, we've begun to see and learn how hackers are targeting this platform for data, personal and corporate information, and as a jump-board for other attacks.

Avanan analyzed nearly 200 enterprise customers for two months. In doing so, we were able to uncover current hacking activities and trends in Teams, as well as assess the overall cybersecurity risk involved in using the service.

The first and perhaps most important thing to know about Microsoft Teams is that, by default, it is not protected:

  • With one click, sensitive information can be forwarded outside the organization, either by user error, insider threat or hackers that compromised an account.

  • External members might be added to a channel and team members may not realize that there are external members on a certain channel, and share proprietary or confidential information.

  • Compromised partner's accounts could be used by hackers to attack the organization's end-users, while the organization has no control over the security of their partner.

  • Channels created by partners do not allow visibility to the organization's channel, via admin or API. Accordingly, the company cannot know what has been shared on these channels and the data goes unaudited.

  • End-users' generally share anything in Teams, including sensitive information, because they assume that unlike email it is not monitored or archived.

Also, Microsoft Teams, by default, does not provide effective security for malicious content:

  • Links in the chat are not scanned at all.

  • Files are scanned, but not instantly and only for basic issues. That means that malware can sit in the chat for hours at a time

As hackers discovered this, they've begun to target Teams. In general, they've taken advantage of two main things:

  • Starting from an email-compromised Microsoft 365 account. The same credentials that are used to log into Microsoft email is used to login into Teams. Hackers have spent years compromising Microsoft 365 accounts using traditional phishing methods. Once they have those credentials, they can—and will— walk right into Teams.

  • Leveraging the inherent trust end users put in Teams. There's no reason to think that someone isn't who they say they are. Users respond freely to messages, click links and download shared files without a second thought.

To combat this, an ideal solution for Teams will actively scan the content for malicious files and links, identifying them in real time and tombstoning them as necessary. Additionally, it should detect compromised accounts, insider threats and unsecured configurations to preempt potential compromise before a threat materializes.

Finally, the content should be scanned for sensitive information, messages or files, and once detected that content should be quarantined with the option to trigger a workflow to release from quarantine. Once users know they are monitored, they generally change their behavior and act more responsibly.

In conclusion, business is being conducted on Microsoft Teams. Chat, video-conferencing, file sharing— it’s all on Teams. While initially it is primarily designed for internal to internal communication, more and more organizations also use it for communication with their partners. As it continues to become a part of everyday life, hackers are finding more ways to infiltrate it. Accordingly, companies should scan Teams content for malicious links and files, DLP and insider threats.

The best way to think of this problem is to expand from email security to all lines of communication and adopt a whole-of-business security, protecting every application where business is conducted.


About the Author:

Gil Friedrich

Gil Friedrich is the CEO and co-founder of Avanan, the Cloud Security Platform, that helps organizations secure their SaaS email and collaboration suites, and was named by Deloitte as the fastest growing email security company on the market. He brings almost 20 years of development and leadership experience to Avanan, including serving as ForeScout’s VP of R&D and VP of Technology. Gil holds a B.Sc in Physics and an M.Sc in Computer Science from Tel-Aviv University.


About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights