Microsoft Teams (MS Teams) is a popular conferencing platform for organizations using the Microsoft 365 service. It eases workplace-related matters by allowing you to chat, share files, and collaborate. Its API-friendly nature enables companies to broaden the scope of its usage. Many companies are subscribers of Microsoft 365, making MS Teams a sought-after product, giving tough competition to similar offerings like Slack, Google Meet, and Zoom. The tool currently has 250 million active users across the globe.
However, cybersecurity professionals discovered four distinct “Microsoft vulnerabilities” in MS Teams last year, generating concern among users and the cybersecurity community. The flaws provide attackers with free reign to leak IP addresses, mimic link previews, and even access the company’s internal services using Microsoft Teams. Researchers from Positive Security discovered the flaws through its bug bounty program in early 2021. The company’s co-founder, Fabian Bräunlein, reported the issues to Microsoft on March 10, and the enterprise has been trying to patch them ever since. Unfortunately, only one of four bugs have been fixed as of now.
Here’s where you can find the four Microsoft flaws.
Microsoft Vulnerability For Teams 1: Server-side request forgery (SSRF)
By exploiting this vulnerability, attackers may be able to obtain information from Microsoft’s local network. Bräunlein mentions his findings in a December 22 blog post. “I tested the /urlp/v1/url/info endpoint for Server-Side Request Forgery and was quite surprised to see that this obvious attack vector has not been protected against,” he writes. This vulnerability can be used for internal port scanning, enabling attacks to send packets to specific ports on a host and analyze the responses to identify details about its services or locate vulnerabilities. The attackers can also send HTTP-based exploits.
Microsoft Teams Vulnerability 2: URL Preview Spoofing
MS Teams has a minor feature wherein they show a link preview, and upon clicking it, any user would expect to be redirected to the exact address shown in the preview. Unfortunately, attackers can easily spoof this preview and set the preview link target to any location, regardless of the primary link, preview image, or description. This feature can be exploited to mislead users to malicious websites, potentially leading to a malware attack.
Microsoft Teams Vulnerability 3: IP Address Leak
This vulnerability is only found in MS Teams running on Android devices, and it revolves around link previews. According to Bräunlein, the software’s backend fetches the referenced preview thumbnail and makes it available from a Microsoft domain during the creation of link previews. An attacker can easily intercept this data transaction and use a specially crafted link preview. They can then point the thumbnail URL to a domain that does not belong to Microsoft. Android receivers do not check the domain to load the thumbnail, and the sender’s IP is exposed. This is the only vulnerability that has been addressed by Microsoft.
Microsoft Teams Vulnerability 4: Message of Death
This bug can cause a Denial of Service (DoS) to Android users. It’s also related to link preview spoofing. An attacker first sends a message to a Teams user (Android version) with a spoofed link preview; the link will take the user to another website than what is shown. If the link target is invalid, as in, say, is ‘asfh’ (or anything else) instead of “https://…” the app crashes once the user clicks on the preview. Hence, the attacker can DoS the Teams user with a single message.
The use of enterprise communication platforms has increased dramatically since the onset of the COVID-19 pandemic, as most businesses have embraced the remote working culture. This increases the severity of security flaws on these platforms, such as the one disclosed for MSTeams.
Here are some of the precautions that companies may take to avoid cyber-attacks caused by these Microsoft flaws.:
Use the most up-to-date version of Microsoft Teams and install official patches immediately.
Install the most recent firewall and antivirus updates to ensure that users are not immediately harmed by malware if they are directed to a fraudulent URL.
Before clicking on any links or previews, double-check them and then don’t click if anything seems wrong.
Stay updated on news and blog posts regarding the vulnerabilities.
Consult cybersecurity experts who can educate C-suites as well as employees on Microsoft vulnerabilities.These experts should be able to conduct a wide range of tests on the firm’s or network’s security systems, in order to determine whether your system has been compromised, as well as perform a variety of other checks.
Microsoft has acknowledged that the four flaws do not pose an immediate danger, but businesses utilizing MS Teams should always be on the lookout for any potential assaults that could come through the platform.