While Microsoft Teams adoption is growing incredibly fast with over 80 million active daily users in 2020, some highly regulated organizations are often hesitant to deploy Teams or limit the deployment of Teams due to information security concerns and possible cyber security threats. Supporting any platform with that many daily users you can be sure that hackers are watching closely and will do everything they can to gain a foothold in your environment.
During this presentation we will cover real-world cyber security threats as well as strategies for hardening your security configurations to protect your Teams deployment. We will also cover the available Microsoft add-on solutions to improve security, including Advanced Threat Protection (ATP), increased logging options, and Azure AD P1 licenses that improve Teams governance capabilities. Some of the topics we'll discuss:
- Credential theft campaigns
- Identity spoofing for user impersonation
- Man-in-the-middle attacks
- Locking down 3rd party application implementations
- Conditional access policies
- Permission management settings
- Information boundary configurations
- And more…
You'll learn how hackers think, and how you can gain the upper hand by preparing and training your users for the most common cyber security exploits as well as leveraging the best Microsoft tools available to mitigate both external and internal security risks.
2. Speaker
@BenMenesi
▪ Ben Menesi
▪ VP Products & Innovation at panagenda
▪ Started out in the IBM world
▪ SharePoint & Exchange Admin & Dev
▪ Certified Ethical Hacker v9 and OSCP student
▪ Enjoys breaking things
▪ Speaker at IT events around the globe (GlobalCon1, SPS
NYC, Toronto, Calgary, Montreal, Geneva, Cambridge)
▪ Owns a bar
3. About panagenda
▪ Headquartered in Vienna, Austria
▪ Offices in the US, Australia, Germany & the Netherlands
▪ 10M+ user licenses in over 80 countries
4. Our product: OfficeExpert
Business Value Outcomes
Service Performance
Measurements
Teams Usage
Analysis
Collaboration
Workloads
Comparison
Licensing
Optimization
Our Product: OfficeExpert
6. Our product: OfficeExpert
Data Warehouse with
Azure AD Information
DataAggregationModeling
M365
Activity
Data
TEAMS
Usage
Analytics
PowerShell
Information
Microsoft
Graph API
Service
Performance
Data
Web Interface
Report Builder & Dashboards
Data Warehouse
USAGE
DATA
PERFORMANCE
DATA
AD User
Details
Open API for Integration
Data Analytics
7. We offer managed trials & free assessments!
panagenda.com/officeexpert
9. Agenda
• What we’ll cover today
Numbers from the field Misconfigurations
Phishing Cross Platform Issues
Illicit Consent Grants
10. Numbers from the field
▪ From Verizon’s DBIR (2020):
https://enterprise.verizon.com/resources/reports/2020-data-breach-
investigations-report.pdf
11. Numbers from the field
58% Victims are businesses with < 1000 employees
92%
68% Breaches took months(!!!) to discover
Malware vectors: Email. (6.3% Web, 1.3% other)
12. Numbers from the field
25% Phishing emails bypassed Office 365 default security
4%
98% Emails containing crypto-wallet address are phishing
1 in every 25 branded (legit) emails is phishing
▪ Avanan’s Global Phish Report 2019 (55,5M emails analyzed):
https://www.avanan.com/global-phish-report-web-briefing
50% Over half of all phishing emails contain malware
14. Types of Phishing emails
▪ According to Avanan’s Global Phish Report, types of phishing emails:
15. Numbers from the field
▪ Frightening percentage of emails make it past Exchange Online Protection
16. 1.) Spearphishing
▪ 0,4% of Phishing attacks
▪ Very dangerous
▪ Impersonates a senior employee
▪ Organizationally aware
▪ No link or attachment
▪ Sense of urgency
17. 2.) Extortion
▪ 8% of Phishing attacks
▪ Somewhat personalized
▪ Contains password from data leak
▪ Crypto wallet address
▪ Sent en-masse
18. 3.) Malware Phishing
▪ 50,7% of Phishing attacks
▪ No personal touch
▪ Has attachment
▪ Contains a link to trigger file download
▪ Aims to install trojan
▪ Often poses as a PO / legal claim
▪ The ‘old school way’
19. 4.) Credential Harvesting
▪ 40,9% of Phishing attacks
▪ Second most dangerous
▪ Trusted brand logo (Microsoft)
▪ Link in email body (or attachment)
▪ Sense of urgency
▪ Leads to login page
20. When do we talk about Microsoft Teams?
▪ According to Avanan: branded phishing emails brand impersonation
21. Teams Impersonation Attacks
▪ May 2020: Two separate attacks targeting over 50k Teams users using Teams
impersonation sites (https://threatpost.com/microsoft-teams-impersonation-
attacks/155404/)
22. What can you do?
▪ Corporate branding: help your employees easily identify legit Teams emails:
23. What can you do?
▪ Levelized, consistent phishing awareness campaigns
▪ Thanks to Chris Hadnagy: https://www.linkedin.com/in/christopherhadnagy/
Level 1
• Not
personalized
• No branding
• Grammar /
spelling
errors
Level 2
• Not
personalized
• No branding
• No grammar
/ spelling
errors
Level 3
• Personalized
• Branded
• No grammar
/ spelling
errors
24. What can you do?
▪ Key Performance Indicators:
▪ Did employees catch the phish, and if so – did they report it?
▪ If not, did they click the link and digest the CBT message?
25. How to launch phishing campaigns
▪ Use the Attack Simulator
26. How to launch phishing campaigns
▪ Use the Attack Simulator
27. How to launch phishing campaigns
▪ But use your own landing site ;)
29. Illicit Consent Grants
▪ While these haven’t made their way into the phishing top 4 categories…
▪ Phishing campaigns could trick users into granting access to applications
▪ https://blogs.technet.microsoft.com/office365security/defending-against-illicit-consent-
grants/
▪ Exploit first demonstrated by Kevin Mitnick
30. Illicit Consent Grants
▪ Exploit scenario
▪ Demo
▪ Infrastructure:
User Apache Web
Server
Hacker
36. Can we Pivot in the M365 environment?
▪ Let’s take a look!
37. Digital #metoo era
▪ Consent is key
▪ Integrated apps: Using various APIs, you can grant apps access to your tenant data:
▪ Mail, calendars, contacts, conversations
▪ Users, groups, files and folders
▪ SharePoint sites, lists, list items
▪ OneDrive items, permissions and more
▪ Integration: Azure AD provides secure sign-in and authorization
▪ Developer registers the application with Azure AD
▪ Assign permissions to the application
▪ Tenant administrator / user must consent to permissions
41. Remedy: Enumerate consented apps
▪ Enumerate using PowerShell > Install the AzureAD PowerShell module >
Connect to Azure AD and
▪ Use script:
https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09
▪ Output:
▪ Gotcha! Does not show redirect URL settings!
42. Remedy: Enumerate consented apps
▪ To show redirect URLs, use AzureRM.Resources and Connect-
AzureRMADAccount:
45. Remedy: Cloud App Security
▪ Portal.cloudappsecurity.com
▪ Create an OAUTH App Security Policy
▪ Decide to notify or revoke
46. Remedy: Educate users!
▪ Remember the levelized phishing awareness campaign approach?
▪ Create your own bogus application and send links that prompt for consent
▪ Redirect users to education site
▪ Reach out to me for details
@BenMenesi
ben.menesi@panagenda.com
48. Teams vs. Zoom vs. Webex
▪ All online meeting platforms grew exponentially due to Covid-19
(https://www.techradar.com/news/microsoft-teams-zooms-past-zoom-in-the-
race-for-collaboration-tools-supremacy)
894% usage growth
677% usage growth
451% usage growth
49. Zoom-bombing
▪ Zoom has exploded since the beginning of Covid-19 and so did its bad press:
▪ Zoom-bombing
▪ Vulnerabilities
▪ What is zoom-bombing?
▪ Zoom meeting URL:
▪ April 2020: password protected
▪ https://thehackernews.com/2020/07/zoom-meeting-password-hacking.html
▪ Bonus: did you know? You can use waiting rooms in zoom, too (think: lobby in Teams!):
https://blog.zoom.us/secure-your-meetings-zoom-waiting-rooms/
50. Zoom meeting security
▪ Zoom meeting URLs at this point
Base URL: zoom.us/j/
Static
Meeting ID
9-11 digit Meeting ID:
1B possibilities
Meeting
51. Zoom meeting security
▪ Zoom meeting IDs: easy to brute-force.
Zoom.us/j/123456789
If valid: no join-
errormsg in HTML
body
If invalid:
div id="join-errormsg„
in HTML body
52. Zoom-bombing
▪ Fixed between September 2019 and April 2020 by
▪ Enforcing Automatic passwords
▪ Meeting ID validation
▪ Device blocker (prevent brute-force)
▪ But then: https://thehackernews.com/2020/07/zoom-meeting-password-
hacking.html
53. Zoom meeting security
▪ Zoom meeting URLs at this point (with automatic passwords)
Base URL: zoom.us/j/
Static
Meeting ID
9-11 digit Meeting ID:
1B possibilities
Meeting password
6 digits passwords:
1M possibilities
Date & TimeMeeting
54. Zoom issues
▪ April 2020: Cracking meeting passwords for zoom
(https://thehackernews.com/2020/07/zoom-meeting-password-hacking.html)
▪ Typical zoom login URL: zoom.us/j/MEETING_ID?pwd=999999
▪ 6 digit numeric password: 10x10x10x10x10x10 = 1,000,000 combinations
▪ Lack of lockout feature: allowed trying all possibilities via python in a few
minutes
▪ Fixed later in April 2020 by enhancing password complexity. Current password
characteristics:
bkltODZHbDd1QlA1ZS9kRk15cjNVdz09
55. Zoom issues
▪ July 2020: RCE in Zoom desktop (https://blog.0patch.com/2020/07/remote-
code-execution-vulnerability-in.html)
▪ Remote code execution vulnerability
in zoom desktop running on Win7 or
earlier
▪ Fixed within 1(!!!) day
56.
57. Decoding Teams Meeting URLs
▪ Let’s look at a meeting URL:
▪ There is a lot going on here ☺ Let’s take it apart
https://teams.microsoft.com/l/meetup-
join/19%3ameeting_MDA0NjEyNWQtOGI3OS00NWZhLWIxYmItNDkyNzE0ZmRmOTY0%40thread.v2/0?context
=%7b%22Tid%22%3a%229fe808d4-38ba-4977-aa7c-44fc363cb42c%22%2c%22Oid%22%3a%2216fd9435-93cf-
4809-84c7-44837349723c%22%7d
58. Decoding Teams Meeting URLs
▪ What is a meeting join URL made of?
▪ Points 1 and 3 always appear to be the same
▪ Point 2: meeting resource ID (Base64 encoded): 3c9462ca-c7a4-42b7-9ad2-
e2a22e466cf0
▪ Point 3: static values
▪ Point 4: Organizer context (TiD: TenantID [GUID], OiD: Organizer ID [GUID])
1.) Base: https://teams.microsoft.com/l/meetup-join/19%3
2.) Meeting ID: ameeting_MDA0NjEyNWQtOGI3OS00NWZhLWIxYmItNDkyNzE0ZmRmOTY0%40
3.) Thread version: thread.v2/0?
4.) Context: context=%7b%22Tid%22%3a%229fe808d4-38ba-4977-aa7c-
44fc363cb42c%22%2c%22Oid%22%3a%2216fd9435-93cf-4809-84c7-44837349723c%22%7d
59. Real security of a Teams Meeting
▪ Essentially each meeting invite consists of 3 GUIDs (Globally Unique Identifier)
▪ GUID: 128bit Integer number used to identify resources
▪ Unique: 1B / s for a year: only 50% chance of a duplicate
Meeting GUID Tenant ID Organizer ID
Base64 encoded URL Encoded URL Encoded
Date & TimeLobby AdmittanceMeeting
60. Teams-bombing: findings
1.) Can not bypass any of the 3 GUID components
2.) Since TiD is somewhat public information, susceptible to Google-hacking
3.) Teams meeting ID is extremely secure and there is no link to Meeting
calendar entry or calendar ID whatsoever.
62. Avoiding Teams issues (especially education)
What the little rascals like to do:
▪ 1.) Muting the teacher (presenter)
▪ 2.) Mute other participants
▪ 3.) Kick other attendees from meetings
▪ 4.) Start sharing screen (overtake equal presenters)
63. Avoiding Teams issues (especially education)
▪ Organizer options while in meeting: manually modify attendee roles
▪ OR: (Better): Meeting options while / after scheduling
▪ Tricky: you only have access to meeting options AFTER saving the meeting!
64. Meeting chats & resources
▪ This can be a HUGE issue if not paid attention to
Invite
• External user is invited to a meeting
Meeting
• Participants are shown and can interact during
meeting
Post-
meeting
• Meeting chat is shown post-meeting with content
that was shared (including files via OneDrive)
65. Meeting chats & resources
▪ Exercise: go back and look at your previous Teams meetings
▪ See how many of them removed you as a participant
66. Meeting chats & resources
▪ Story: vendor briefing
▪ What happens if you do remove someone but it’s a recurring meeting?
▪ Best Practice: NEVER invite externals to recurring, internal meetings!
1.) External participant is removed from meeting chat
2.) External participant reuses calendar link to join
2.) External participant is added back into the chat & can view
meeting presence / join when meeting occurs
67. Anonymous Meeting Attendees
▪ You can prevent / allow anonymous users from attending Teams meetings
▪ Does not require the Teams client
▪ There is a tradeoff:
Anonymous
Allowed
Anonymous
prevented
Use it with
externals – no
need for Zoom
Keep your
meetings secure
and attendees
authenticated
69. Giphies in Teams – once again a tradeoff
Nay
Giphies!
Yay
Giphies!
FB Acquisition
Account Takeover
Relaxed
Collaboration
70. Giphies in Teams
▪ Facebook acquisition: tons of data collected
▪ Account takeover possibility via Giphy:
https://www.cyberark.com/resources/threat-research-blog/beware-of-the-gif-
account-takeover-vulnerability-in-microsoft-teams
▪ Note: this was NOT due to Giphy being Giphy, it was due to a subdomain takeover
vulnerability that has since been fixed!
▪ Disable Giphys org-wide (Messaging Policies): https://docs.microsoft.com/en-
us/microsoftteams/messaging-policies-in-teams
▪ Disable Giphys per Team (PowerShell): https://hochwald.net/facebook-
acquired-giphy-how-to-disable-it-in-microsoft-teams
73. List of Resources
▪ Information Barriers: https://docs.microsoft.com/en-us/microsoft-
365/compliance/information-barriers?view=o365-worldwide
▪ Teams Security & Compliance Overview: https://docs.microsoft.com/en-
us/microsoftteams/security-compliance-overview
▪ Settings and Security issues in Microsoft Teams:
https://www.meetimeapps.com/blog/settings-and-security-issues-in-microsoft-
teams
▪ Decoding Teams meeting URLs:
http://imaucblog.com/archive/2018/01/16/decoding-a-microsoft-teams-
meeting-url/
▪ Teams messaging policies: https://docs.microsoft.com/en-
us/microsoftteams/messaging-policies-in-teams