Relying on default settings on Microsoft Teams leaves users open to threats from external domains. Misconfiguration can prove perilous to high-value targets.
Microsoft Teams has over 270 million active monthly users, with government institutions using the software in the US, UK, Netherlands, Germany, Lithuania, and other countries at varying levels.
Cybersecurity researcher Darius Povilaitis has discovered that relying on default MS Teams settings can leave high-value users vulnerable to social engineering attacks. Attackers could create group chats with state officials, masquerading as their bosses and observing whether they are online.
“We saw that attackers could, rather convincingly, impersonate a high-ranking state official and possibly strike up a conversation, fooling victims into believing they’re discussing sensitive topics with a superior. Skilled attackers could do a lot of harm with this capability,” Povilaitis told Cybernews.
Easy to fool
For a proof of concept, Povilaitis’ team tested the idea on members of the Lithuanian parliament’s Committee on National Security and Defence (CNSD). Bordering Russia and Russia-aligned Belarus, Lithuania has recently been targeted by threat actors such as Killnet over its support for Ukraine.
Researchers used MS Teams to give their accounts the same name as Lithuania’s Prime Minister Ingrida Šimonytė. They subsequently used the MS Team search tool, pasting the email addresses of the CNSD members in the search bar and adding all of them to a single chat group.
If researchers proceeded to create the chat, the MPs in the conversation would see it was created by “Ingrida Šimonytė (external).” This is because Lithuania’s legislative and executive branches use different domain names: lrs.lt and lrv.lt respectively.
If the real Prime Minister created a group chat, its members would witness just the same thing: a name and surname followed by the word “external.” While MPs working with sensitive information are trained to be careful not to share it, less attentive individuals could inadvertently disclose crucial data, mistakenly thinking they’re conversing with another high-ranking official.
According to an advisory from Lithuania’s National Cyber Security Centre (NCSC), it has learned that the problem lies with government institutions relying on default or near-default settings for external access on MS Teams.
The NCSC claims that default settings allow third parties who know officials’ names and surnames to discover whether they’re using the program and send direct messages and files. Those using the MS Teams plan for businesses can also see if the targeted official is online or not.
“It is easy to impersonate anyone in the Teams app, and staff members can find it difficult to confirm the identity of the third-party writing quickly. This functionality enables social engineering attacks. The NCSC assesses that this poses a serious threat to the security of organizations,” reads the advisory.
It also noted that Lithuania is weathering an increased volume of cyberattacks on its institutions. Therefore organizations are advised to change MS Teams’ external access setting to allow only users with specific external domains to contact officials.
The NCSC representative told Cybernews that no breaches related to the MS Team settings were uncovered.
Cybernews has contacted Microsoft for comment, but no reply was received at the time of publishing.
"Users are often less vigilant once they leave email, since they inherently trust chat channels more, viewing them as ‘internal’ tools. This trust can make them easy targets,"Otavio Freire, president and CTO of SafeGuard Cyber, said.
Configuration errors pose risks in any collaboration platform, and breaches can result in lost revenue and leaked secrets, says Otavio Freire, president and CTO of SafeGuard Cyber.
Officials using MS Teams are of particular interest to threat actors, since intelligence obtained via collaboration platforms can be more valuable than that acquired through regular email-based phishing.
“Users are often less vigilant once they leave email, since they inherently trust chat channels more, viewing them as ‘internal’ tools. This trust can make them easy targets,” Freire told Cybernews.
Since platforms are designed to facilitate communication, they rarely flag impersonators, and in any case often don’t have the means to point out the possible malicious intent of users sharing links and files.
“One of the more concerning scenarios is that an attacker could use this for gaining classified information or access to assets, as well as distributing the means to steal credentials or infect a government device,” Freire explained.
To avoid risks, security teams are advised to establish basic requirements for access and run checks on system configuration to ensure platforms comply with requirements.
Users should also be trained to be aware of the risks that communication platforms can pose, and apply zero-trust principles to cloud-based communication channels.
On the radar
Last month, threat actors loyal to the Kremlin known as the Killnet collective launched distributed denial-of-service (DDoS) attacks against Lithuanian government institutions and private businesses, in an attempt to muscle the nation into dropping EU-level sanctions against Russia.
Killnet released a video message on its Telegram account demanding Lithuania allow the transit of goods to Russian exclave Kaliningrad, and threatened to attack the Baltic nation if it did not comply.
At the time, Jonas Skardinskas, the head of cybersecurity at the NCSC, warned that the transport, energy, and finance sectors would feel the brunt of the attacks.
Recent months have seen a wave of cyberattacks against various government institutions in Europe, as Russia’s invasion of Ukraine sparked what pundits are calling a cyber war.
More from Cybernews:
Subscribe to our newsletter