While Microsoft Teams adoption is growing incredibly fast with over 80 million active daily users in 2020, some highly regulated organizations are often hesitant to deploy Teams or limit the deployment of Teams due to information security concerns and possible cyber security threats. Supporting any platform with that many daily users you can be sure that hackers are watching closely and will do everything they can to gain a foothold in your environment.
During this presentation we will cover real-world cyber security threats as well as strategies for hardening your security configurations to protect your Teams deployment. We will also cover the available Microsoft add-on solutions to improve security, including Advanced Threat Protection (ATP), increased logging options, and Azure AD P1 licenses that improve Teams governance capabilities. Some of the topics we'll discuss:
- Credential theft campaigns
- Identity spoofing for user impersonation
- Man-in-the-middle attacks
- Locking down 3rd party application implementations
- Conditional access policies
- Permission management settings
- Information boundary configurations
- And more…
You'll learn how hackers think, and how you can gain the upper hand by preparing and training your users for the most common cyber security exploits as well as leveraging the best Microsoft tools available to mitigate both external and internal security risks.
Right Money Management App For Your Financial Goals
Protecting Microsoft Teams from Cyber Security Threats - a Practical Guide
1. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Vielen Dank an unsere Sponsoren!
Platinum
Gold
Many thanks to our sponsors!
Join the virtual Bar and the ScriptRunner Sessions!
2. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Protecting Microsoft Teams
from Cyber Security Threats
- a Practical Guide
Ben Menesi, CEH
3. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Speaker
@BenMenesi
▪ Ben Menesi
▪ VP Products & Innovation at panagenda
▪ Started out in the IBM world
▪ SharePoint & Exchange Admin & Dev
▪ Certified Ethical Hacker v9 and OSCP student
▪ Enjoys breaking things
▪ Speaker at IT events around the globe (Collab365
GlobalCon1-3, M365 Marathon, SPC, SPS NYC, Montreal,
Geneva, Cambridge)
▪ Owns a bar
4. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
About
panagenda
• Headquartered in Vienna, Austria
• Offices in the US, Australia, Germany & the Netherlands
• 10M+ user licenses in over 80 countries
5. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Our product: OfficeExpert
Business Value Outcomes
Service Performance
Measurements
Teams Usage Analysis Collaboration
Workloads
Comparison
Licensing
Optimization
Our Product: OfficeExpert
6. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Service Performance
Measurements
Teams Usage Analysis
Collaboration
Workloads
Comparison
Licensing
Optimization
Validate Readiness
for Voice Deployments
Drive Targeted
Adoption Campaigns
Remove Duplicate
Technologies
Cost Savings for
License Subscriptions
Business Value
Outcomes
7. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Our product: OfficeExpert
Data Warehouse with
Azure AD Information
DataAggregationModeling
M365
Activity Data
TEAMS
Usage
Analytics
PowerShell
Information
Microsoft
Graph API
Service
Performance
Data
Web Interface
Report Builder & Dashboards
Data Warehouse
USAGE
DATA
PERFORMANCE
DATA
AD User
Details
Open API for Integration
Data Analytics
8. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
We offer managed trials & free
assessments!
panagenda.com/officeexpert
10. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Agenda
• What we’ll cover today
Numbers from the field Misconfigurations
Phishing Cross Platform Issues
Illicit Consent Grants
11. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Numbers from the field
▪ From Verizon’s DBIR (2020):
https://enterprise.verizon.com/resources/reports/2020-data-breach-
investigations-report.pdf
12. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Numbers from the field
58% Victims are businesses with < 1000 employees
92%
68% Breaches took months(!!!) to discover
Malware vectors: Email. (6.3% Web, 1.3% other)
13. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Numbers from the field
25% Phishing emails bypassed Office 365 default security
4%
98% Emails containing crypto-wallet address are phishing
1 in every 25 branded (legit) emails is phishing
▪ Avanan’s Global Phish Report 2019 (55,5M emails analyzed):
https://www.avanan.com/global-phish-report-web-briefing
50% Over half of all phishing emails contain malware
15. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Types of Phishing
emails
• According to Avanan’s Global
Phish Report, types of
phishing emails:
16. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Numbers from the
field
• Frightening percentage of
emails make it past Exchange
Online Protection
17. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
1.) Spearphishing
• 0,4% of Phishing attacks
• Very dangerous
• Impersonates a senior
employee
• Organizationally aware
• No link or attachment
• Sense of urgency
18. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
2.) Extortion
• 8% of Phishing attacks
• Somewhat personalized
• Contains password from
data leak
• Crypto wallet address
• Sent en-masse
19. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
3.) Malware Phishing
• 50,7% of Phishing attacks
• No personal touch
• Has attachment
• Contains a link to trigger file
download
• Aims to install trojan
• Often poses as a PO / legal
claim
• The ‘old school way’
20. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
4.) Credential Harvesting
• 40,9% of Phishing attacks
• Second most dangerous
• Trusted brand logo
(Microsoft)
• Link in email body (or
attachment)
• Sense of urgency
• Leads to login page
21. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
When do we talk about
Microsoft Teams?
• According to Avanan: branded
phishing emails brand
impersonation
22. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Teams Impersonation Attacks
▪ May 2020: Two separate attacks targeting over 50k Teams users using Teams
impersonation sites (https://threatpost.com/microsoft-teams-impersonation-
attacks/155404/)
23. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
What can you do?
▪ Corporate branding: help your employees easily identify legit Teams emails:
24. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
What can you do?
▪ Levelized, consistent phishing awareness campaigns
▪ Thanks to Chris Hadnagy: https://www.linkedin.com/in/christopherhadnagy/
Level 1
• Not
personalized
• No branding
• Grammar /
spelling
errors
Level 2
• Not
personalized
• No branding
• No grammar
/ spelling
errors
Level 3
• Personalized
• Branded
• No grammar
/ spelling
errors
25. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
What can you do?
▪ Key Performance Indicators:
▪ Did employees catch the phish, and if so – did they report it?
▪ If not, did they click the link and digest the CBT message?
26. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
How to launch phishing campaigns
▪ Use the Attack Simulator
27. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
How to launch phishing campaigns
▪ Use the Attack Simulator
28. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
How to launch
phishing campaigns
• Use your own landing
page(s) ;)
30. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Illicit Consent Grants
▪ While these haven’t made their way into the phishing top 4 categories…
▪ Phishing campaigns could trick users into granting access to applications
▪ https://blogs.technet.microsoft.com/office365security/defending-against-illicit-consent-
grants/
▪ Exploit first demonstrated by Kevin Mitnick
31. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Illicit Consent Grants
▪ Exploit scenario
▪ Demo
▪ Infrastructure:
User Apache Web
Server
Hacker
37. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Can we Pivot in the M365 environment?
▪ Let’s take a look!
38. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Digital #metoo era
• Consent is key
• Integrated apps: Using various APIs, you can grant apps access to your tenant data:
• Mail, calendars, contacts, conversations
• Users, groups, files and folders
• SharePoint sites, lists, list items
• OneDrive items, permissions and more
• Integration: Azure AD provides secure sign-in and authorization
• Developer registers the application with Azure AD
• Assign permissions to the application
• Tenant administrator / user must consent to permissions
40. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Remedy:
Restricting
consents
• Azure AD Portal > User Settings
41. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Remedy: Restricting consent
• Manage how end users
launch
and view their applications
42. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Remedy: Enumerate consented apps
▪ Enumerate using PowerShell > Install the AzureAD PowerShell module >
Connect to Azure AD and
▪ Use script:
https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09
▪ Output:
▪ Gotcha! Does not show redirect URL settings!
43. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Remedy: Enumerate consented apps
• To show redirect URLs, use
AzureRM.Resources and
Connect-
AzureRMADAccount:
44. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Remedy: Search your Audit Logs
▪ Use ‘consent’ string to filter:
46. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Remedy: Cloud App Security
▪ Portal.cloudappsecurity.com
▪ Create an OAUTH App Security Policy
▪ Decide to notify or revoke
47. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Remedy: Educate users!
▪ Remember the levelized phishing awareness campaign approach?
▪ Create your own bogus application and send links that prompt for consent
▪ Redirect users to education site
▪ Reach out to me for details
@BenMenesi
ben.menesi@panagenda.com
49. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Teams vs. Zoom vs. Webex
▪ All online meeting platforms grew exponentially due to Covid-19
(https://www.techradar.com/news/microsoft-teams-zooms-past-zoom-in-the-
race-for-collaboration-tools-supremacy)
894% usage growth
677% usage growth
451% usage growth
50. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Zoom-bombing
▪ Zoom has exploded since the beginning of Covid-19 and so did its bad press:
▪ Zoom-bombing
▪ Vulnerabilities
▪ What is zoom-bombing?
▪ Zoom meeting URL:
▪ April 2020: password protected
▪ https://thehackernews.com/2020/07/zoom-meeting-password-hacking.html
▪ Bonus: did you know? You can use waiting rooms in zoom, too (think: lobby in Teams!):
https://blog.zoom.us/secure-your-meetings-zoom-waiting-rooms/
51. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Zoom meeting security
▪ Zoom meeting URLs at this point
Base URL: zoom.us/j/
Static
Meeting ID
9-11 digit Meeting ID:
1B possibilities
Meeting
52. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Zoom meeting security
▪ Zoom meeting IDs: easy to brute-force.
Zoom.us/j/123456789
If valid: no join-
errormsg in HTML
body
If invalid:
div id="join-errormsg„
in HTML body
53. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Zoom-bombing
▪ Fixed between September 2019 and April 2020 by
▪ Enforcing Automatic passwords
▪ Meeting ID validation
▪ Device blocker (prevent brute-force)
▪ But then: https://thehackernews.com/2020/07/zoom-meeting-password-
hacking.html
54. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Zoom meeting security
▪ Zoom meeting URLs at this point (with automatic passwords)
Base URL: zoom.us/j/
Static
Meeting ID
9-11 digit Meeting ID:
1B possibilities
Meeting password
6 digits passwords:
1M possibilities
Date & TimeMeeting
55. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Zoom issues
▪ April 2020: Cracking meeting passwords for zoom
(https://thehackernews.com/2020/07/zoom-meeting-password-hacking.html)
▪ Typical zoom login URL: zoom.us/j/MEETING_ID?pwd=999999
▪ 6 digit numeric password: 10x10x10x10x10x10 = 1,000,000 combinations
▪ Lack of lockout feature: allowed trying all possibilities via python in a few
minutes
▪ Fixed later in April 2020 by enhancing password complexity. Current password
characteristics:
bkltODZHbDd1QlA1ZS9kRk15cjNVdz09
56. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Zoom issues
▪ July 2020: RCE in Zoom desktop (https://blog.0patch.com/2020/07/remote-
code-execution-vulnerability-in.html)
▪ Remote code execution vulnerability
in zoom desktop running on Win7 or
earlier
▪ Fixed within 1(!!!) day
57. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
58. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Decoding Teams Meeting URLs
▪ Let’s look at a meeting URL:
▪ There is a lot going on here ☺ Let’s take it apart
https://teams.microsoft.com/l/meetup-
join/19%3ameeting_MDA0NjEyNWQtOGI3OS00NWZhLWIxYmItNDkyNzE0ZmRmOTY0%40thread.v2/0?context
=%7b%22Tid%22%3a%229fe808d4-38ba-4977-aa7c-44fc363cb42c%22%2c%22Oid%22%3a%2216fd9435-93cf-
4809-84c7-44837349723c%22%7d
59. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Decoding Teams Meeting URLs
▪ What is a meeting join URL made of?
▪ Points 1 and 3 always appear to be the same
▪ Point 2: meeting resource ID (Base64 encoded): 3c9462ca-c7a4-42b7-9ad2-
e2a22e466cf0
▪ Point 3: static values
▪ Point 4: Organizer context (TiD: TenantID [GUID], OiD: Organizer ID [GUID])
1.) Base: https://teams.microsoft.com/l/meetup-join/19%3
2.) Meeting ID: ameeting_MDA0NjEyNWQtOGI3OS00NWZhLWIxYmItNDkyNzE0ZmRmOTY0%40
3.) Thread version: thread.v2/0?
4.) Context: context=%7b%22Tid%22%3a%229fe808d4-38ba-4977-aa7c-
44fc363cb42c%22%2c%22Oid%22%3a%2216fd9435-93cf-4809-84c7-44837349723c%22%7d
60. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Real security of a Teams Meeting
▪ Essentially each meeting invite consists of 3 GUIDs (Globally Unique Identifier)
▪ GUID: 128bit Integer number used to identify resources
▪ Unique: 1B / s for a year: only 50% chance of a duplicate
Meeting GUID Tenant ID Organizer ID
Base64 encoded URL Encoded URL Encoded
Date & TimeLobby AdmittanceMeeting
61. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Teams-bombing: findings
1.) Can not bypass any of the 3 GUID components
2.) Since TiD is somewhat public information, susceptible to Google-hacking
3.) Teams meeting ID is extremely secure and there is no link to Meeting
calendar entry or calendar ID whatsoever.
63. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Avoiding Teams issues (especially education)
What the little rascals like to do:
▪ 1.) Muting the teacher (presenter)
▪ 2.) Mute other participants
▪ 3.) Kick other attendees from meetings
▪ 4.) Start sharing screen (overtake equal presenters)
64. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Avoiding Teams issues (especially education)
▪ Organizer options while in meeting: manually modify attendee roles
▪ OR: (Better): Meeting options while / after scheduling
▪ Tricky: you only have access to meeting options AFTER saving the meeting!
65. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Meeting chats & resources
▪ This can be a HUGE issue if not paid attention to
Invite
• External user is invited to a meeting
Meeting
• Participants are shown and can interact during meeting
Post-meeting
• Meeting chat is shown post-meeting with content that
was shared (including files via OneDrive)
66. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Meeting chats & resources
▪ Exercise: go back and look at your previous Teams meetings
▪ See how many of them removed you as a participant
67. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Meeting chats & resources
▪ Story: vendor briefing
▪ What happens if you do remove someone but it’s a recurring meeting?
▪ Best Practice: NEVER invite externals to recurring, internal meetings!
1.) External participant is removed from meeting chat
2.) External participant reuses calendar link to join
2.) External participant is added back into the chat & can view
meeting presence / join when meeting occurs
68. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Anonymous Meeting Attendees
▪ You can prevent / allow anonymous users from attending Teams meetings
▪ Does not require the Teams client
▪ There is a tradeoff:
Anonymous
Allowed
Anonymous
prevented
Use it with externals
– no need for Zoom
Keep your meetings
secure and
attendees
authenticated
69. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Anonymous Meeting Attendees
▪ Where to set it: Teams Admin Center > Meeting Settings > Participants
70. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Giphies in Teams – once again a tradeoff
Nay
Giphies!
Yay
Giphies!
FB Acquisition
Account Takeover
Relaxed
Collaboration
71. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Giphies in Teams
▪ Facebook acquisition: tons of data collected
▪ Account takeover possibility via Giphy:
https://www.cyberark.com/resources/threat-research-blog/beware-of-the-gif-
account-takeover-vulnerability-in-microsoft-teams
▪ Note: this was NOT due to Giphy being Giphy, it was due to a subdomain takeover
vulnerability that has since been fixed!
▪ Disable Giphys org-wide (Messaging Policies): https://docs.microsoft.com/en-
us/microsoftteams/messaging-policies-in-teams
▪ Disable Giphys per Team (PowerShell): https://hochwald.net/facebook-
acquired-giphy-how-to-disable-it-in-microsoft-teams
73. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Conclusion
Regular, levelized phishing
campaigns
Educate users
Control 3rd party apps Regularly review Teams security
& compliance controls
Review & manage externals
and recurring meetings
74. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
List of Resources
▪ Information Barriers: https://docs.microsoft.com/en-us/microsoft-
365/compliance/information-barriers?view=o365-worldwide
▪ Teams Security & Compliance Overview: https://docs.microsoft.com/en-
us/microsoftteams/security-compliance-overview
▪ Settings and Security issues in Microsoft Teams:
https://www.meetimeapps.com/blog/settings-and-security-issues-in-microsoft-
teams
▪ Decoding Teams meeting URLs:
http://imaucblog.com/archive/2018/01/16/decoding-a-microsoft-teams-
meeting-url/
▪ Teams messaging policies: https://docs.microsoft.com/en-
us/microsoftteams/messaging-policies-in-teams
76. 09. September 2020 | #TeamsCommunityDay | teamscommunityday.de | @TeamsDay
Vielen Dank an unsere Sponsoren!
Platinum
Gold
Many thanks to our sponsors!
Join the virtual Bar and the ScriptRunner Sessions!