- Microsoft Teams guest chat feature creates unprotected attack vector for malware and phishing
- Guests rely on host’s security, enabling malicious actors to bypass usual protections
- Businesses advised to restrict external invites, disable chats, and train staff on phishing risks
A new feature recently added to Microsoft Teams has also introduced a “fundamental architectural gap” - a vulnerability that could be exploited to drop malware, share phishing links and more - all without triggering the usual security alarms, experts have warned.
Cybersecurity researchers Ontinue found the guest access feature in Microsoft Teams creates an unprotected attack vector.
The feature lets any Teams user start a new chat with anyone, just by their email address, meaning even if the recipient doesn’t use Teams, they can get an invite via email and join the chat as a guest. By default, this feature is enabled for eligible licenses (SMB licenses such as Teams Essentials, Business Basic, Business Standard, etc.).
Bypassing security protocols
However, when someone joins another person’s Teams environment as a guest, they are not bringing their own security protocols - they are protected with whatever security protocols their host has.
So, if the host is malicious and has no security protocols, they could share malicious files with the guests without triggering any alarms. And since the communication is happening outside the victim’s own environment, they won’t be notified of any risks that way, too.
In theory, a threat actor could impersonate someone, invite the victim for a Teams chat, and have them open a phishing link, or download malware. Since the invitation is sent by Microsoft’s own infrastructure, and the actual chat happens in Teams, the victim might lower their guard.
At the moment, Microsoft is keeping quiet about it and is yet to answer to media inquiries.
In the meantime, businesses are advised to limit external Teams invitations to trusted domains only, and control cross-tenant access.
Furthermore, they could disable external chats and should educate their employees about phishing attacks and unsolicited messages - regardless of the platform they’re coming from.
Via The Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
