

Microsoft Corp. recently patched a severe vulnerability in Microsoft Teams that could have allowed an attacker to gain access to a user’s account.
Discovered and publicized today byz researcher Evan Grant at Tenable Inc., the vulnerability related to a feature in Microsoft Teams that allows users to launch applications as a tab within any team they belong to.
The Power Apps tabs were found to be governed by an improperly anchored regular expression, specifically insufficient input validation. When the tabs were opened, the validation mechanism didn’t properly confirm that the content in the tab came from a trusted source.
The issue was a surprising one given its relative simplicity. When a tab was opened, the validation mechanism would only confirm the beginning of the URL, for example make.powerapps.com. As a result, attackers exploiting the vulnerability could, in theory, then create a subdomain on a domain they controlled, for example make.powerapps.fakecorp.ca or similar, allowing them to load untrusted content into a Power Apps tab.
“Successful exploitation of this flaw allows attackers to take control of any users that access the malicious tab,” Grant explained. “This includes reading the victim users’ group messages within Teams, accessing the users’ email and OneDrive storage and more.”
With this unhindered access to an employee’s email and the ability for an attacker to pretend to be an authentic, trusted employee, the vulnerability delivered comprehensive data for a business email compromise attack.
In a typical BEC attack, victims receive emails they believe are from a company they usually conduct business with, but this email requests that funds be sent to a new account or otherwise alters the standard payment practices.
The U.S. Federal Bureau of Investigation has issued multiple warnings about the risk of BEC attacks, noting in April 2020 that COVID-19 topics were being used in the attacks. In December, the FBI warned that cybercriminals were exploiting email forwarding to undertake BEC attacks.
Because the vulnerability was a server-side issue, Microsoft could fix it without any user action required. It’s not believed that the vulnerability was ever exploited in the wild before being patched.
Support our open free content by sharing and engaging with our content and community.
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.