A recently discovered and patched Microsoft Teams vulnerability could have allowed an attacker to take over the account of an end user, according to Tenable research released Monday. This would let the attacker access files in their OneDrive account, access their chat history as well as read and send emails on behalf of the victim.
Tenable originally disclosed the findings to Microsoft in late March, and the company later patched the vulnerability — no actual accounts were compromised. "The potential impact of the attack is dependent on the privileges of the victim," Evan Grant, staff research engineer at Tenable, who discovered the vulnerability, said via email. "For example, the higher level of privilege the victim has, the more attack surface a bad actor may have available to them when attacking the victim’s other Microsoft services."
- Microsoft Teams has nearly doubled in active users over the past year, with the company reporting 145 million daily active users as of late April 2021, the end of the company’s fiscal third quarter.
The discovery comes amid fierce competition between the business collaboration platforms, as millions of company employees and contractors continue to operate remote. Businesses are moving toward hybrid work models that involve working part-time in the office, a shift that has created extensive security challenges.
A default feature in Microsoft Teams allows users to launch applications as a tab, according to Tenable. Organizations that use Microsoft Teams or Office 365 that use a Business Basic license can Microsoft Power Apps within one of the tabs.
Content loaded in the Power Apps tabs had an "improperly anchored regular expression," which means the mechanism used to confirm that the content comes from a trusted source did not appear to work the way it was intended, according to Tenable researchers The validation mechanism would confirm that a URL began with "https://makepowerapps.com" but did not provide additional validation.
An attacker could therefore add a subdomain — for example, https://makepowerapps.com.fakecorp.ca — which then allows the attacker to load untrusted content, according to Tenable.
Tenable researchers discovered the flaw after they were exploring functionality in Microsoft Teams in search of potential bugs. The Microsoft Power Apps tabs caught their attention, Grant said.
Data from the FBI shows that business email compromise cost about $1.8 billion in 2020, a 5% increase from the prior year. BEC is on the rise and is expected to reach $5 billion in losses by 2023, according to a Garter spokesperson.
Microsoft has been working to combat BEC in recent months, noting that business email compromise is a top security concern of CISOs.
"We are aware of the report and can confirm an update was released in April," a spokesperson for Microsoft said via email.