Researchers have discovered more ways to abuse Microsoft Teams to steal Office 365 user credentials by spreading malware, a new report has claimed.
New Proofpoint findings have claimed hackers can abuse the Tabs feature, used to synchronize between Microsoft Teams and Calendar, and the Teams API, to deliver droppers, or phishing pages, to unsuspecting victims.
The Tabs feature providers Teams users with quick access to different tools, such as OneDrive. As the default tabs can’t be moved around, users can get used to different ones and use them without second-guessing their benign nature. However, there is a way to move the default tabs, which cybercriminals could use to swap the legitimate ones with malicious ones. In one such example, Proofpoint says, a “Website” tab could point towards a malicious landing page where victims could end up giving away their Office 365 credentials.
The Website tab can also be changed to point to a file, which would get automatically downloaded on click. Cybercriminals could abuse this functionality to deliver droppers, the researchers said.
Microsoft Teams meeting invites can also be weaponized - when a member creates an online meeting, the platform generates multiple links and sends to the invitees. With the help of Teams API calls, a threat actor would be able to swap the legitimate links for malicious ones.
Crooks can also go for a different approach, using Teams API or user interface to weaponize existing links in sent messages. In this scenario, the hyperlink that the victims receive wouldn’t change, just the URL behind it, making discovery even more difficult.
While the researchers are warning that these methods are dangerous, they stressed that in order to be effective, the attackers need to obtain a Teams account beforehand.
- These are the best firewalls right now