Attackers who gain initial access to a victim's network now have another method of expanding their reach: using access tokens from other Microsoft Teams users to impersonate those employees and exploit their trust.

That's according to security firm Vectra, which stated in an advisory on Sept. 13 that Microsoft Teams stores authentication tokens unencrypted, allowing any user to access the secrets file without the need for special permissions. According to the firm, an attacker with local or remote system access can steal the credentials for any currently online users and impersonate them, even when they are offline, and impersonate the user through any associated feature, such as Skype, and bypass multifactor authentication (MFA).

The weakness gives attackers the ability to move through a company’s network much more easily, says Connor Peoples, security architect at Vectra, a San Jose, Calif.-based cybersecurity firm.

"This enables multiple forms of attacks including data tampering, spear-phishing, identity compromise, and could lead to business interruption with the right social engineering applied to the access," he says, noting that attackers can "tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks."

Vectra discovered the issue when the company's researchers examined Microsoft Teams on behalf of a client, looking for ways to delete users who are inactive, an action that Teams does not typically allow. Instead, the researchers found that a file that stored access tokens in cleartext, which gave them the ability to connect to Skype and Outlook through their APIs. Because Microsoft Teams brings together a variety of services — including those applications, SharePoint and others — that the software requires tokens to gain access, Vectra stated in the advisory.

With the tokens, an attacker can not only gain access to any service as a currently online user, but also bypass MFA because the existence of a valid token typically means the user has provided a second factor.

In the end, the attack does not require special permissions or advanced malware to grant attackers enough access to cause internal difficulties for a targeted company, the advisory stated.

"With enough compromised machines, attackers can orchestrate communications within an organization," the company stated in the advisory. "Assuming full control of critical seats — like a company’s head of engineering, CEO, or CFO — attackers can convince users to perform tasks damaging to the organization. How do you practice phish testing for this?"

Microsoft: No Patch Necessary

Microsoft acknowledged the issues but said the fact that the attacker needs to have already compromised a system on the target network reduced the threat posed, and opted not to patch.

"The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network," a Microsoft spokesperson said in a statement sent to Dark Reading. "We appreciate Vectra Protect's partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release."

In 2019, the Open Web Application Security Project (OWASP) released a top 10 list of API security issues. The current issue could be considered either Broken User Authentication or a Security Misconfiguration, the second and seventh ranked issues on the list.

"I view this vulnerability as another means for lateral movement primarily — essentially another avenue for a Mimikatz-type tool," says John Bambenek, principal threat hunter at Netenrich, a security operations and analytics service provider.

A key reason for the existence of the security weakness is that Microsoft Teams is based on the Electron application framework, which allows companies to create software based on JavaScript, HTML, and CSS. As the company moves away from that platform, it will be able to eliminate the vulnerability, Vectra's Peoples says.

"Microsoft is making a strong effort to move toward Progressive Web Apps, which would mitigate many of the concerns currently brought by Electron," he says. "Rather than rearchitect the Electron app, my assumption is they are devoting more resources into the future state."

Vectra recommends the companies use the browser-based version of Microsoft Teams, which has enough security controls to prevent exploitation of the issues. Customers who need to use the desktop application should "watch key application files for access by any processes other than the official Teams application," Vectra stated in the advisory.