Microsoft Teams: Very Bad Tabs Could Have Led to BEC


Level 74
Content Creator
Malware Hunter
Aug 17, 2014
Attackers could have stepped through a yawning security hole in the Microsoft Teams chat service that would have let them masquerade as a targeted company’s employee, by reading and sending email on their behalf.

On Monday, Tenable’s Evan Grant explained in a post that he found the bug in Microsoft Power Apps: A platform for low-code/no-code rapid app development.

Exploitation would require a lot of moving parts. But the bug is a simple one, having to do with insufficient input validation, and it packs a nasty punch. Grant said that the vulnerability could have been leveraged to establish persistent read/write access to a victim’s Microsoft bubble, including email, Teams chats, OneDrive, Sharepoint and a variety of other services.

Such attacks could be carried out via a malicious Microsoft Teams tab and Power Automate flows, Grant explained. Microsoft has since fixed the bug, but Grant’s post analyzed how it might have been exploited.

Grant set up a hypothetical scenario in which an attacker – whom he called baduser(at), a member of the organization – can create a malicious Teams tab and use it to “eventually steal emails, Teams messages and files from gooduser(at), and send emails and messages on their behalf.”

It would be a “fairly serious” attack, Grant said, given that unbridled access to employees’ emails and the ability to put on the guise of authentic, trusted employees is exactly what fuels business email compromise (BEC), for one.

In a BEC attack, a scammer impersonates a company executive or other trusted party and tries to trick an employee responsible for payments or other financial transactions into wiring money to a bogus account. Attackers usually conduct a fair amount of recon work, studying executive styles and uncovering the organization’s vendors, billing system practices and other information to help mount a convincing attack.