For many organizations, the default setting in teams to allow external communication from users on the same platform is useful to how they do business. Even for my business, this setting is great as it allows me to collaborate with my clients without needing to be set up as a guest or have an account in their tenant (or vice versa). However, with some of the reported attacks in August, organizations may want to revisit that choice and make some changes.
So what happened that warrants this review? In two reported attacks in August, attackers leveraged the ability to send messages through teams, to lull users into a false sense of security and catch them with their guard down for some classic social engineered attacks. Microsoft Teams is a vulnerable path for this since most users are taught to watch for this type of behavior in email, and organizations even have solutions in place to catch most phishing campaigns for email, but nothing for Teams.
In one reported attack, a hacking group recently targeted dozens of organizations worldwide, including government agencies, in Microsoft Teams phishing attacks. The attackers created new domains and sent tech support lures, attempting to manipulate users into granting approval for multifactor authentication (MFA) prompts, in order to steal their credentials. This attack highlights the significant impact that social engineering attacks can have, even on well-protected entities. [Read More…]
In another reported attack in late August 2023, a new phishing campaign targeting Microsoft Teams users sent malicious attachments from two compromised external Office 365 accounts. The malicious attachment contained VBScript that triggers the infection chain leading to the DarkGate Loader malware. This attack was similar to one reported by Jumpsec in June 2023, however Microsoft decided not to address the risk. A tool released in July 2023 that streamlined Microsoft Teams phishing attacks likely increased the likelihood of it being abused in the wild, though there is no indication that this method is involved in the recently observed campaign. [Read More…]
Protecting your organization
As a security professional, what should you do faced with some growing prevalence of this new avenue of threats. As you can see from the above examples, both communications were identified as external. With that possibility, one simple method is to disable all external access to Teams. However, for many organizations, this may not work with how they perform business. In that case, possibly look at whitelisting or blacklisting domains and educating your users to threats coming through Teams. In addition to that, here are some additional methods you may want to investigate to help secure your MS Teams environment.
Protect Microsoft Teams Against Phishing Attacks
Microsoft Teams with Defender for Office 365 can benefit from enhanced protection specifically against malicious phishing attacks that utilize weaponized URLs. With this feature, you can take advantage of time-of-click protection for links in conversations, group chats, and channels, safeguarding your team from potential threats. Note that, to access the Microsoft Defender portal, an E5 license is required.
Configure Teams Guest Access Settings
You can enhance collaboration and communication with Microsoft Teams by inviting guests. However, to ensure the security and privacy of your data, it is important to configure the right guest access settings. Through the Teams admin center, you can easily tailor your guest access rules to suit your needs.
Navigate to Microsoft Teams admin center –> Users –> Guest Access.
By setting up the appropriate guest access rules, you can confidently collaborate with clients and partners without compromising on data security. Plus, with the ability to disable screensharing during video meetings, you can ensure that confidential information always remains secure.
Restrict Unknown Domains from Emailing to Team’s Channel Address
To increase the security of Microsoft Teams’ communication channels in your organization, it’s important to restrict channel email messages to approved domains. This ensures that only trusted entities can send messages to your Teams channels, preventing potential security breaches and keeping your business communications safe.
Manage MS Teams Third-Party File Integrations
With Teams, you have the flexibility to store your files on various third-party storage like Citrix files, Dropbox, Box, Google Drive, Egnyte, etc. However, some providers may pose a risk of data leakage. To ensure your data remains secure, you have the option to disable unsupported providers.
Set Up Conditional Access Policy for Microsoft Teams
Conditional access allows admins to control access to resources based on certain conditions. Microsoft Teams has a growing list of security and compliance capabilities, including conditional access, which can be used to restrict access to Microsoft Teams from specific locations or devices. This helps to prevent unauthorized access and reduces the risk of data breaches. To access the Microsoft Office 365 conditional access policy feature, you will need an Azure AD Premium P1 license.
Manage Meeting Policies in Microsoft Teams
Managing Microsoft Teams meeting settings is important as it allows you to customize the meeting experience based on your security requirements. By following a few simple steps, you can minimize the attack surface and restrict unwanted content sharing in Teams meetings.
Navigate to Microsoft Teams admin center –> Meetings –> Meeting Policies –> Global Policy.
- Under the Meeting join & lobby tab, ensure that ‘Anonymous users can join a meeting’ and ‘People dialing in can bypass the lobby’ options are turned off.
- Under Meeting engagement, allow Meeting chat option for Everyone but anonymous users.
- Turn off the ‘External participants can give or request control’ setting in Content Sharing. Further, you can restrict the ‘who can present’ option to “People in my organizations and guests” to avoid sharing inappropriate or unwanted content.
With these simple steps, you can configure your Teams meeting settings for a more secure and productive collaboration experience.
MS Teams Communication Monitoring
Microsoft Teams chat monitoring allows administrators to set up keyword alerts to be notified whenever a particular word is used. In large organizations, this functionality can help administrators respond to problems more quickly. However, outside of keyword alerts, administrators have to manually monitor communications. This does add the option for users to report messages. This means you can review those reports and detect trends that warrant further investigation and action.
Safe Collaborating
Armed with some knowledge of the threat vector, and some ways to help secure your environment, you should now be able to configure your tenant to be a bit safer. Nothing replaces educating your users against this type of attack and safe computing habits. With that said, all the safety measures in the world cannot prevent ignorance and poor choices. Make sure you configure reporting and monitor for anomalies in your environment. If you need help with securing your MS Teams environment, tenant, or would like to discuss a security review, reach out to me to talk.