Microsoft Corp. recently patched a severe vulnerability in Microsoft Teams that could have allowed an attacker to gain access to a user’s account.

Discovered and publicized today byz researcher Evan Grant at Tenable Inc., the vulnerability related to a feature in Microsoft Teams that allows users to launch applications as a tab within any team they belong to.

The Power Apps tabs were found to be governed by an improperly anchored regular expression, specifically insufficient input validation. When the tabs were opened, the validation mechanism didn’t properly confirm that the content in the tab came from a trusted source.

The issue was a surprising one given its relative simplicity. When a tab was opened, the validation mechanism would only confirm the beginning of the URL, for example make.powerapps.com. As a result, attackers exploiting the vulnerability could, in theory, then create a subdomain on a domain they controlled, for example make.powerapps.fakecorp.ca or similar, allowing them to load untrusted content into a Power Apps tab.

“Successful exploitation of this flaw allows attackers to take control of any users that access the malicious tab,” Grant explained. “This includes reading the victim users’ group messages within Teams, accessing the users’ email and OneDrive storage and more.”

With this unhindered access to an employee’s email and the ability for an attacker to pretend to be an authentic, trusted employee, the vulnerability delivered comprehensive data for a business email compromise attack.

In a typical BEC attack, victims receive emails they believe are from a company they usually conduct business with, but this email requests that funds be sent to a new account or otherwise alters the standard payment practices.

The U.S. Federal Bureau of Investigation has issued multiple warnings about the risk of BEC attacks, noting in April 2020 that COVID-19 topics were being used in the attacks. In December, the FBI warned that cybercriminals were exploiting email forwarding to undertake BEC attacks.

Because the vulnerability was a server-side issue, Microsoft could fix it without any user action required. It’s not believed that the vulnerability was ever exploited in the wild before being patched.

Image: Microsoft