-
EDR / MDRIdentify, contain, respond, and stop malicious activity on endpoints
-
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
-
Risk Assessment & Vulnerability ManagementIdentify unknown cyber risks and routinely scan for vulnerabilities
-
Identity ManagementSecure and streamline client access to devices and applications with strong authentication and SSO
-
Cloud App SecurityMonitor and manage security risk for SaaS apps
-
SASEZero trust secure access for users, locations, and devices
-
SOC ServicesProvide 24/7 threat monitoring and response backed by ConnectWise SOC experts
-
Policy ManagementCreate, deploy, and manage client security policies and profiles
-
Incident Response ServiceOn-tap cyber experts to address critical security incidents
-
Cybersecurity GlossaryGuide to the most common, important terms in the industry
Microsoft Teams Local Information Disclosure in Windows, Linux, and macOS
By Bryson Medlock, September 15, 2022
Information has recently been disclosed regarding a method an attacker can use to gain access to a Microsoft Teams or Skype account even with MFA turned on. Microsoft Teams is a communications platform that comes included with Microsoft 365 and is used in workplaces around the world for real-time collaboration and communication, video-conferencing, and file and app sharing and is used by over 270 million users around the world. According to information disclosed by security firm Vectra, the issue in question is that the desktop application versions of Microsoft Teams store access token on disk in clear text. Keep in mind, that an attacker must already have access to the local file system to get this information so this is a method an attacker could use potentially for lateral phishing or to gain access to confidential information stored in Teams.
Microsoft Teams is developed on a framework called Electron. Electron is a framework enabled Node.js and Chromium that allows a developer to build desktop application using web technology such as JavaScript, HTML, and CSS by running the web application inside a custom Chromium-based browser. Since the Teams application is essentially a web app running in a browser, the built-in web browser requires traditional browser data such as cookies.
Microsoft Teams is essentially a conglomeration of other M365 services that rely on Skype, SharePoint, and Outlook using the Microsoft Graph API. After a user logs in to Teams (after MFA), an access token is created. The access token is a temporary token with a default useful lifetime between 60-90 minutes generated by the Microsoft identity platform. An access token is how an application verifies which permissions a user has while they are using the application. Essentially, it is how you remain logged in to the application without having to re-authenticate for every action you perform. Depending on your configuration, before the token expires it can perform a “silent” login to gain a new token with a new expiration time. If you have access to a current, valid access token, it can be used to access the Graph API directly and thereby used to perform actions as the user who owns the token. Because the access token is created after a user authenticates, including MFA, this information could be used as an MFA bypass.
Gaining access to the token does require file system access of a user who has already authenticated to Teams and the token has a limited shelf-life (on average about 75 minutes). For these reasons, Microsoft closed the case submitted by Vectra telling them it did not meet their standard for “immediate servicing.” Since there is no fix coming from Microsoft anytime soon, Vectra recommends using the browser-based version of Teams rather than the desktop application. Modern web-browsers use native OS tools to secure and encrypt cookie content since access token are common programming techniques and used by many web applications and they must be stored somewhere locally to be used.
Overall, this is not a critical vulnerability though we could start seeing threat actors adding this technique to their toolchain even possibly creating a tool similar to Mimikatz. That being said, plenty of existing infostealer malware in-the-wild today can also access encrypted browser data for post-exploitation and lateral movement. The fact that Teams stores the access token in clear-text doesn’t change anything significantly, but just saves threat actors a step.