Researchers at Vectra stumbled across some genuinely troubling design flaws in Microsoft Teams. Essentially, Teams stores authentication tokens in plaintext capable of granting access to those sweet O365 resources that Teams has access to such as Skype, Sharepoint, and Outlook. What’s worse is that an attacker wouldn’t need elevated privileges to gain access to them. This allows attackers the ability to access resources in those O365 apps that the compromised user would, eavesdrop on conversations the user is a part of, and masquerade as the user. It’s also likely that access would survive password resets as well as bypassing MFA. Given the difficulty organizations have in detecting phishes from compromised vendor/client mailboxes, it’s easy to imagine how quickly an attacker could social engineer their way through an organization if they appear to be an existing employee while leveraging these stolen credentials. From Microsoft’s perspective, this vulnerability isn’t going to be prioritized because it requires the attacker to have established a foothold within a victim’s environment, but that happens regularly. Detecting lateral movement for this would prove difficult. Vectra recommends leveraging the Teams web app rather than the fat client. If the fat client must be used, monitor Teams configuration files/folders “leveldb” and “Cookies” for access from any process other than Teams.exe (details in the article).
https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
