Tenable disclosed details of a serious vulnerability in Microsoft Teams discovered by [Evan Grant of] its Zero-Day Research Team. By abusing PowerApps functionality (a separate product used within Teams for building and using custom business apps), threat actors could gain persistent read/write access to a victim user’s email, Teams chats, OneDrive, Sharepoint and a variety of other services by way of a malicious Microsoft Teams tab and Power Automate flows.
According to Microsoft, Teams reached 145 million daily active users in March 2021, roughly a 90% increase in the last twelve months. The growth is largely driven by a surge in remote work and distance learning, with many organisations rushing to make cloud-based communication and collaboration as simple as possible.
“Despite its simplicity, this vulnerability poses a significant risk as it could be leveraged to launch a number of different attacks across a variety of services, potentially exposing sensitive files and conversations, or to allow an attacker to masquerade as other users and perform actions on their behalf”, explains Evan Grant, staff research engineer of Tenable. “Given the number of access tokens this vulnerability exposes, there are likely to be other creative and serious potential attacks not explored in our proofs-of-concept”.
Exploit of this vulnerability is limited to authenticated users within a Teams organisation who have the ability to create Power Apps tabs, meaning it can’t be exploited by an untrusted/unauthenticated attacker. However, the permission to create these tabs is enabled by default, meaning a third-party contractor, disgruntled employee, or even an ex-employee whose access hasn’t been revoked could launch an attack.
At this time there is no evidence that this vulnerability has been exploited in the wild. Microsoft has implemented a solution to this issue, with no further action needed from end-users.
A detailed blog post about this vulnerability, including potential indicators of compromise, is available.