I keep seeing reports of Teams security issues. What’s the deal?
Microsoft Teams normally isn't at the center of cybersecurity reporting, but over the last week there seem to have been a plethora reports concerned with attacks on Microsoft Teams users arriving in chat-based shared files. This story has been covered by PCMag, SonicWall, Yahoo, Security Week, and a number of other places and has popped up on my social feed several times.
So, what is going on?
All of these stories have originated from a report from security company Avanan. This highlights that via some form of account compromise they have seen malicious executable files being shared in chat or channel messages in Teams which then go on to compromise the systems receiving the files.
The report from Avanan lacks specifics and the examples they include neither show Microsoft Teams in use, nor a currently supported operating system (the example video just shows an application being installed on Windows 7). As a basic lesson though, the message is clear - files from the internet, even if wrapped in the friendly and familiar Microsoft Teams, can be a security issue.
What issues does the report raise?
The report indicates that the issue arises due to another Teams account a user is interacting with being compromised.
In a cloud context, identity is our perimeter, so protecting accounts with proper authentication is essential. However, thinking specifically about Teams, there are some issues to consider.
Teams provides a rich fabric from which to collaborate with those outside your organization. There are two different modes for this - external access and guests. Both of these options are turned on by default but can be disabled from the Teams Admin Center.
External access allows your users to contact other Teams users in other tenants, providing chat and calling capabilities. However, outside of pasting links, file sharing is not enabled here. This just allows communication between tenants, so does not allow you to apply any additional authentication protocols to the external user, but you can turn it off entirely.
Guest access allows you to add external users to a Teams Team. Those guests then behave like any other user of that Team. From an Azure Active Directory perspective, the guest user becomes a guest account in your tenant, so whatever authentication requirements you have for those users will apply to this guest's access. For example, MFA requirements, conditional access etc. So even if the external tenant is not applying recommended settings to prevent account compromise, your settings applying to guest accounts will apply to these users. You can choose to turn off guest access and limit it in certain ways (though limiting file sharing does not appear to be an option available).
Previously Teams has been the target of phishing campaigns to utilize email messages that appear to be from Teams to steal account credentials. However, with external access available, the question arises as to whether other forms of account spoofing, similar to what we see with email, might be of concern.
From what we know, it seems the most important security mitigation is, and continues to be, the enablement of multi-factor authentication (MFA). This provides extra depth of defense in ensuring your own users' accounts are not compromised, but also provides additional resiliency in the event of you providing guest access to external users. There is no good excuse for failing to use this simple and incredibly powerful defense everywhere it is available.
Are the security provisions existing in Teams inadequate?
The Avanan report specifically states that "default Teams protections are lacking". This is both true and not depending on what you are trying to protect from and what you mean by default.
It is surprising that Teams does not offer any sort of blocking or notification on sharing or receiving an executable file. It seems that in most cases it would not be necessary to share executable files in Teams, but there is no way to directly turn off this capability. The only available setting that influences this is to limit what file types can be synced, but syncing limitations have no impact on upload limitations. However, executables certainly do not run directly from within Teams, they must be downloaded, and from that point are treated like any other similar file on a system.
From this perspective, what Teams does or does not allow you to do with a file is less relevant than what other system precautions you have set-up for downloads, USB thumb drives etc. in terms of endpoint protection. The Avanan example does not show any altered behavior in Teams due to the attack. However, the point is well made that users may feel Teams is safer than other file sources and might try more risky behavior. In this case, the identity protections highlighted above should be seen as the easiest win in starting to mitigate these concerns, and beyond this our security posture should not rely on the good behavior of our users.
Microsoft Defender for Office 365 is included in Microsoft 365 Business Premium (Plan 1) and Microsoft 365 E5 (Plan 2), these both include Safe Attachments and Safe Links which apply to Teams. These services seem to have changed their name with regularity over the last few years, but the key takeaway is that one of the benefits of paying for one of the more costly M365 SKUs is you get added security tools packaged in, and some of these serve to harden Teams versus threats like those being highlighted.
Avanan offers its own security product designed for Microsoft 365 with specific capabilities for Teams. This package far exceeds the default security mitigations in all Teams instances and to an extent are beyond what is available even in a flagship SKU like M365 E5. Avanan is by no means the only 3rd party company to offer security products that can enhance M365 though, take a look at Barracuda and Fortinet as just two of many examples.
You may feel that the default settings for sharing in Microsoft 365 are too permissive, and you may consider turning off guest access and external access for Teams, beyond this you can limit any sharing within and without your organization through the SharePoint Admin Center. Every organization's needs will be different.
What is the takeaway?
This is a good reminder that user training alongside good security mitigations are essential no matter what platform we are using. This reporting does not highlight some critical flaw in Teams that is being exploited, the default settings in Teams are fairly permissive, but given that Microsoft only got around to blocking downloaded macros by default this month, this is probably to be expected. There are ways to further lock down Teams either by changing default settings or adding features through different Microsoft 365 products, and there are any number of third parties offering additional security products. Teams also relies upon the security mitigations elsewhere, just as Outlook, or Edge, or any other application does.
The tools we have available for collaboration are amazing. Each has upsides and downsides in capabilities and potential risks. It is important that everyone understands this and takes appropriate steps to keep themselves and their businesses safe. The high profile of this week's news about Teams serves as a reminder to take security seriously and not get too comfortable that any one platform is just safe.
Title image: Photo by Jefferson Santos on Unsplash