Skip to main content
close search
site logo
Dive Brief

Patched Microsoft Teams vulnerability shows the delicacy of messaging platforms

Published June 15, 2021
David Jones's headshot
Reporter
Raise hand feature for Microsoft Teams video calls. It's a visual cue for having something to say.
Courtesy of Microsoft

Dive Brief:

  • A recently discovered and patched Microsoft Teams vulnerability could have allowed an attacker to take over the account of an end user, according to Tenable research released Monday. This would let the attacker access files in their OneDrive account, access their chat history as well as read and send emails on behalf of the victim.

  • Tenable originally disclosed the findings to Microsoft in late March, and the company later patched the vulnerability — no actual accounts were compromised. "The potential impact of the attack is dependent on the privileges of the victim," Evan Grant, staff research engineer at Tenable, who discovered the vulnerability, said via email. "For example, the higher level of privilege the victim has, the more attack surface a bad actor may have available to them when attacking the victim’s other Microsoft services."

  • Microsoft Teams has nearly doubled in active users over the past year, with the company reporting 145 million daily active users as of late April 2021, the end of the company’s fiscal third quarter. 

Dive Insight: 

The discovery comes amid fierce competition between the business collaboration platforms, as millions of company employees and contractors continue to operate remote. Businesses are moving toward hybrid work models that involve working part-time in the office, a shift that has created extensive security challenges. 

A default feature in Microsoft Teams allows users to launch applications as a tab, according to Tenable. Organizations that use Microsoft Teams or Office 365 that use a Business Basic license can Microsoft Power Apps within one of the tabs.

Content loaded in the Power Apps tabs had an "improperly anchored regular expression," which means the mechanism used to confirm that the content comes from a trusted source did not appear to work the way it was intended, according to Tenable researchers The validation mechanism would confirm that a URL began with "https://makepowerapps.com" but did not provide additional validation.

An attacker could therefore add a subdomain — for example, https://makepowerapps.com.fakecorp.ca — which then allows the attacker to load untrusted content, according to Tenable. 

Tenable researchers discovered the flaw after they were exploring functionality in Microsoft Teams in search of potential bugs. The Microsoft Power Apps tabs caught their attention, Grant said.

Data from the FBI shows that business email compromise cost about $1.8 billion in 2020, a 5% increase from the prior year. BEC is on the rise and is expected to reach $5 billion in losses by 2023, according to a Garter spokesperson. 

Microsoft has been working to combat BEC in recent months, noting that business email compromise is a top security concern of CISOs. 

"We are aware of the report and can confirm an update was released in April," a spokesperson for Microsoft said via email. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell