SECURITY
SECURITY
SECURITY
Microsoft Teams vulnerability could have resulted in account compromise
Microsoft Corp. recently patched a severe vulnerability in Microsoft Teams that could have allowed an attacker to gain access to a user’s account.
Discovered and publicized today byz researcher Evan Grant at Tenable Inc., the vulnerability related to a feature in Microsoft Teams that allows users to launch applications as a tab within any team they belong to.
The Power Apps tabs were found to be governed by an improperly anchored regular expression, specifically insufficient input validation. When the tabs were opened, the validation mechanism didn’t properly confirm that the content in the tab came from a trusted source.
The issue was a surprising one given its relative simplicity. When a tab was opened, the validation mechanism would only confirm the beginning of the URL, for example make.powerapps.com. As a result, attackers exploiting the vulnerability could, in theory, then create a subdomain on a domain they controlled, for example make.powerapps.fakecorp.ca or similar, allowing them to load untrusted content into a Power Apps tab.
“Successful exploitation of this flaw allows attackers to take control of any users that access the malicious tab,” Grant explained. “This includes reading the victim users’ group messages within Teams, accessing the users’ email and OneDrive storage and more.”
With this unhindered access to an employee’s email and the ability for an attacker to pretend to be an authentic, trusted employee, the vulnerability delivered comprehensive data for a business email compromise attack.
In a typical BEC attack, victims receive emails they believe are from a company they usually conduct business with, but this email requests that funds be sent to a new account or otherwise alters the standard payment practices.
The U.S. Federal Bureau of Investigation has issued multiple warnings about the risk of BEC attacks, noting in April 2020 that COVID-19 topics were being used in the attacks. In December, the FBI warned that cybercriminals were exploiting email forwarding to undertake BEC attacks.
Because the vulnerability was a server-side issue, Microsoft could fix it without any user action required. It’s not believed that the vulnerability was ever exploited in the wild before being patched.
Image: Microsoft
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
