Social Engineering Risks Found in Microsoft Teams

Written by

Several new ways of effectively abusing Microsoft Teams via social engineering have been discovered by security researchers at Proofpoint.

“[We] recently analyzed over 450 million malicious sessions, detected throughout the second half of 2022 and targeting Microsoft 365 cloud tenants,” reads a report published by the company earlier today.

“According to our findings, Microsoft Teams is one of the ten most targeted sign-in applications, with nearly 40% of targeted organizations having at least one unauthorized login attempt trying to gain access.”

Read more on Microsoft 365-focussed attacks: “Greatness” Phishing Tool Exploits Microsoft 365 Credentials

The first of the techniques observed by the Proofpoint team used tabs to gain access to sensitive information by manipulating them in Teams channels or chats. They might rename a tab to make it look like an existing one and then direct it to a malicious website. This is a common tactic used for credential phishing.

“We have found that tabs manipulation could be part of a potent and largely automated attack vector, following an account compromise,” reads the report.

“Usually, users may rename tabs however they choose, as long as the new name does not overlap with an existing tab’s name [...] In addition, users are supposedly restricted from re-positioning tabs in a way that places them before default tabs.”

Tabs were also used for instant malware download, with attackers creating custom tabs that automatically download files to users’ devices, potentially delivering malware.

Proofpoint further observed attackers trying to manipulate meeting invites using Teams API calls to replace default links with malicious ones. This can lead to users unknowingly visiting phishing pages or downloading malware.

Finally, threat actors were spotted modifying existing links in sent messages using the Teams API or user interface. In cases like this, the presented hyperlink remains the same, but the underlying URL was changed to lead users to nefarious websites or malicious resources.

“It is important to note that the aforementioned abuse methods require pre-existing access to a compromised user account or Teams token,” clarified the Proofpoint report.

“Nevertheless, approximately 60% of Microsoft 365 tenants suffered at least one successful account takeover incident in 2022. Consequently, the potential proliferation of these methods would provide threat actors with effective possibilities for post-compromise lateral movement.”

Editorial image credit: DANIEL CONSTANTE /

What’s hot on Infosecurity Magazine?