Askhat -

Microsoft Teams attack exposes collab platform security gaps

Criminal and state-sponsored hackers are ramping up cyberattacks on instant messaging platforms and other workplace collaboration tools. Meanwhile, enterprises' readiness lags.

When a Russia-sponsored social engineering cyberattack targeted Microsoft Teams users in media, tech, government and other sectors earlier this summer, it exposed glaring holes in enterprises' security preparedness for collaboration platforms.

Widely popular instant messaging systems such as Teams and Slack and other enterprise collaboration platforms that have flourished in the post-pandemic world of distributed and hybrid work have provided a vast new attack surface for hackers.

Yet enterprises, which have a few decades of experience in securing and defending email systems from cyberattacks, have been slow to recognize and deal with the fast-growing threat to collaboration platforms.

"As companies adopt new types of collaboration technologies, they don't really think about security first or know what the risk might be until there's some kind of attack," said Irwin Lazar, president and unified communications analyst at Metrigy, an advisory and research firm focused on digital workplace tools.

"People know that phishing attacks happen through email and social engineering attacks and calls into a contact center when somebody might be pretending to be one of your customers, or one of your employees is trying to get credentials reset. But this is a new vector," he added.

Vendors behind on defense

Meanwhile, giant software providers like Microsoft and Salesforce, owner of Slack, appear to be having trouble keeping up with escalating attacks. At the same time, the vendors are increasingly adding new collaboration tools and features that could make the platforms even more vulnerable.

Slack on Jan. 9 acknowledged in a blog post that a "limited number" of Slack employee tokens had been stolen in late December 2022 and used to get into Slack's external GitHub repository.

As for Microsoft, it must do more to secure its various communication and messaging channels, said David Raissipour, chief technology and product officer of Mimecast, an email and messaging security vendor.

"I have a lot of colleagues [at Microsoft] that are in the cyber space, and they're putting a lot of time and effort into it," said Raissipour, who worked at Microsoft in a variety of roles over 14 years. "Is it good enough? Not for the kind of scale they have and the breadth they have."

"Sometimes I don't think these vendors -- Microsoft is one of them, but they're just one of many -- are forthcoming with their customers so their customers can protect themselves while they fix the problem," he continued.

The Midnight Blizzard incursion, reported by Microsoft in a blog post on Aug. 2, also hit Teams platforms used by IT service providers, non-governmental organizations and manufacturing companies.

Microsoft declined to provide comment beyond the blog post.

Some 40 organizations were targeted by the threat actor that the U.S. and U.K. governments had identified as an arm of the Foreign Intelligence Service of the Russian Federation, according to Microsoft. The intent of the attacks was espionage.

Exploiting the messaging mindset

Cyber attackers find it increasingly useful to aim strikes at messaging and other collaboration platforms, such as virtual whiteboards, because users can be caught with their guards down against suspicious URLs and domain names, according to cybersecurity experts.

That's in large part because of the genesis of messaging tools, which are successors to earlier collaboration technologies, such as Skype for Business, Microsoft SharePoint and Google Drive.

The newer messaging tools have, until recently, been more commonly thought of as more personal modes of communication, even when they are provided by employers.

Employees often use the tools in unauthorized ways, such as sharing personal information with people outside the organization, and in sanctioned but risky ways, by doing business on the platforms with outside people.

"A variety of vulnerabilities and exploits exist in these tools that were not necessarily designed for inter-company and inter-organization communication but have become part of that," Raissipour said. "And the volume of communication on these platforms has just exploded."

The personal and immediate feel of many new collaboration tools make them particularly susceptible to social engineering attacks in which adversaries exploit human vulnerabilities and appeal to users' emotions and sense of urgency, Raissipour said.

For example, a common mode of attack -- the same tactic used by Midnight Blizzard -- is for attackers to pose as internal IT security personnel. They ask a user to immediately enter multifactor authentication credentials, which the attacker uses to steal information or gain access to networks.

Screen shot of Mimecast system for monitoring cyber attacks on messaging and email platforms
Mimecast messaging and email monitoring dashboard.

A welter of vulnerable platforms

Beyond Teams and Slack, enterprises use many other popular communication and collaboration platforms that harbor security risks, according to a recent research report, "Challenges in Securing an Overabundance of Communication and Collaboration Tools" by TechTarget's Enterprise Strategy Group.

They include Outlook/Exchange and Microsoft 365, which includes Teams; Google Workspace; Zoom; Skype; WebEx; Atlassian; Salesforce Chatter; Asana; Loom; Flock; Ryver; and Podio.

The research found that most organizations use more than five disparate communication and collaboration platforms, including email, videoconferencing and file sharing technologies.

More than half of the IT professionals in the mid-sized and enterprise-level organizations surveyed reported experiencing weekly and daily multi-vector social engineering cyberattacks. Most organizations are concerned that attackers are targeting channels other than email.

Even so, only about a quarter of organizations take the new breed of cyberattacks seriously enough to invest in securing collaboration tools an urgent priority, said David Gruber, one of the report's authors.

"Is this on people's radar or not?" Gruber said.

"Even some of those who are really big-name companies that everybody would recognize still had questions like, 'Is this a place that's ripe enough?'" he said, referring to some of the companies the research team worked with.


Experts say enterprises need to start or step up security awareness training for newer collaboration platforms and bring the level of employee education about the problem up to par with email, for example.

As companies adopt new types of collaboration technologies they don't really think about security first or know what the risk might be until there's some kind of attack.
Irwin LazarAnalyst, Metrigy

Also, cybersecurity providers like Mimecast intensively market technologies and services to monitor and thwart intrusions into collaboration systems.

In the meantime, users should always be thinking about what they communicate and what the potential risk is, Gruber said.

"The thing that's not controllable is the emotional element of the equation. And this is exactly what the adversary targets to create urgency and an emotional response from any of us as end users," he said.

In its recent attacks, Midnight Blizzard used previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appeared as technical support entities, Microsoft said.

With those domains, the cyber attackers used Teams messages to send lures to try to steal credentials from victim organizations by engaging users and getting them to approve multifactor authentication prompts.

Cyber espionage

Midnight Blizzard's cyber espionage forays into American and European organizations may have provided the group with immense troves of information to further its objectives, though the main goal of the attack remains unclear.

In this case, the immediate objective was not money, as with ransomware attacks.

"They might be getting a contact of yours who may have a contact that's a government person," Raissipour said. "They may have contact that has something about a financial record around a product that's coming to market, around any one of those things that are valuable and can be sold.

"It's not always that they're getting nuclear secrets," he added. "They're getting some value out of it, and that value may be an account credential, piece of information, contact information -- things that you have that they may not have."

Shaun Sutner is senior news director for TechTarget Editorial's enterprise AI, business analytics, data management, customer experience and unified communications coverage areas.

Next Steps

HPE breached by Russian APT behind Microsoft hack

Dig Deeper on Team collaboration software