According to a recent report by Proofpoint, cybersecurity researchers have identified additional techniques for abusing Microsoft Teams to steal user credentials and distribute malware. The study reveals that hackers can exploit the Tabs feature, which enables synchronization between Microsoft Teams and Calendar, as well as the Teams API, to deliver phishing pages and droppers to unsuspecting victims.
The Tabs feature in Microsoft Teams provides users with convenient access to various tools, including OneDrive. As default tabs cannot be rearranged, users may grow accustomed to their presence and use them without suspicion. However, cybercriminals can manipulate the default tabs by substituting legitimate ones with malicious ones. For instance, a seemingly harmless “Website” tab could redirect users to a malicious landing page where their Office 365 credentials could be compromised.
In addition to manipulating tabs, hackers can also modify the functionality of the Website tab to prompt automatic downloads of malicious files upon clicking. This presents an opportunity for cybercriminals to deliver droppers, which can serve as vehicles for malware distribution.
Furthermore, Microsoft Teams meeting invites can be weaponized by threat actors. When creating an online meeting, the platform generates multiple links that are sent to invitees. By exploiting Teams API calls, attackers can replace these legitimate links with malicious ones, potentially leading users to compromised websites.
Alternatively, attackers can manipulate existing links within sent messages using the Teams API or user interface. In this case, the hyperlink displayed to victims remains unchanged, making it more challenging to detect the malicious URL behind it.
While these methods pose significant risks, the researchers emphasize that attackers must gain access to a Teams account beforehand for the attacks to be effective.
Organizations and users are advised to remain vigilant, exercise caution when interacting with Teams tabs, and regularly update their security measures to protect against evolving threats in the Microsoft Teams environment.
