Microsoft Teams’ New Feature Sparks Security ConcernsTeams Update Potentially Opens Avenues for Phishing Attacks
A new feature on Microsoft 365 allows Teams users to chat with team members who are outside their work network and is enabled by default, sparking concerns among cybersecurity professionals, some of whom took to Twitter to express their reservations.
According to the Microsoft 365 product page, the updates are currently in development and are being tested. The company also says it has started rolling out these updates to users, but they are not yet available to all applicable users.
Microsoft says the new update is expanding external access capabilities to allow Teams users to invite an individual to a one-on-one or group chat using the invitee's email address or phone number without having to leave their organization's security perimeter and company guidelines.
Frank McGovern, cybersecurity architect at financial services firm StoneX Group Inc. and cybersecurity adviser to Marine Corps Cyber Auxiliary, tells Information Security Media Group that the new feature enables anyone with a personal Teams account to message any employee in an organization by knowing their email ID or phone number.
McGovern says that many organizations have robust email protection measures to provide defense-in-depth approaches to malicious emails. "Teams now opens up and it is likely that organizations don’t have good protections set up yet for someone coming through that avenue. That’s why it’s a higher risk concern," he says.
In wake of the update, security experts ISMG spoke with say that allowing employees to message contacts not managed by the organization and leaving a gateway open for them to message back opens up avenues for threat actors to attack organizations.
How Teams Update Opens Avenues for Phishing Attacks
Reacting to the Teams update, Patrick C. Miller, CEO of Portland-based Ampere Industrial Security and founder, director and president of the Energy Sector Security Consortium, tells ISMG that phishing and data leakage are his immediate concerns.
"I do think the concerns are legit. Most think Teams is a tool used within the company. It’s always been that way and it isn’t something most users experience outside of their corporate lives. It has that 'feel,'" Miller says.
That sense of security, he points out, leads many users to believe that anyone contacting them on Teams is part of the organization they works in and causes a default state of "overtrust."
Zurich-based information security researcher Marc Reuf, who's also the lead architect of popular vulnerability database VulDB, shares Miller's concerns around phishing attacks. "I’d say that there is an increased risk of social engineering and impersonation attacks. Users might think their contacts are legit and it is safe to communicate with them. They might overlook the risk of 'global' activities," he tells ISMG.
Although organizations have security measures in place to protect employees from malicious or phishing emails, McGovern says the added feature is a new avenue for attackers to communicate directly with employees in an organization. "Why open a new unnecessary avenue so Joe can talk to his brother on corporate Teams?" he says in a tweet.
The admin control for Teams has two options, McGovern says. One is a toggle switch, and the other is a checkbox. The toggle control enables employees of an organization to contact people outside with their personal Teams accounts. The outbound traffic, he says, poses a low risk. But the checkbox determines if external users can contact the organization's employees on Teams. This inbound traffic, McGovern says, poses a higher risk.
Alexandre Blanc, strategic and security advisor at Montreal-based VARS Corp., tells ISMG that CISOs must ensure that the openness of the chat and exchange between employees and individuals outside the organization is well controlled with tight data loss prevention, or DLP, settings and permissions that are highly restricted by default.
While organizations have threat detection mechanisms in place and Windows Defender to protect users, Blanc says they will need to use stronger DLP measures, such as Bitglass or an equivalent next-gen cloud access security broker, or CASB, technology.
Cloudrun Ltd., a UK-based IT services firm, posted on its blog about security concerns around targeted cyberattacks and spam. It says the new update could potentially open Teams to data loss and spam from external users, and so organizations might want to disable the feature.
Security commentator John Hatwick called out Microsoft's practice of opting people into features that are insecure or cause noticeable disruption.
Microsoft has yet to respond to ISMG's queries on the threats highlighted by security experts.
The new feature of permitting communication with those outside of the organization is enabled by default. According to Microsoft's guide for Teams, the admin user can check if the setting is enabled on Teams Admin and change the setting to "off."