On June 14, 2021, Tenable researcher Evan Grant published a blog post on a zero-day vulnerability in Microsoft Teams. This responsible disclosure came alongside a server-side patch from Microsoft that fixed the issue for all Teams users. In the report, the researcher described a bug in the Teams Power Apps service that could allow malicious actors to craft their Power Apps tabs, which could steal authentication tokens and allow for data extraction and messaging impersonation.
At the heart of the vulnerability was an error in authenticating iFrames for legitimate Power App tabs. The iFrames on which the Power App tabs are built are all hosted on the domain "make.powerapps.com," and any attempts to upload iFrames from a different domain were supposed to fail, meaning individuals shouldn't be able to make a Power App tab outside of their designated environment. But the researcher found that the domain check only went so far and that he could fool it by just crafting a subdomain that mimicked the domain. For example, he was able to load iFrames from the domain he created, make.powerapps.com.fakecorp.ca.
Using this exploit, Grant was able to upload his own personally crafted iFrames into Power App tabs for an environment. When a victim clicked on the tab in their Teams environment, it would scrape a variety of authentication tokens from the victim and send them to the malicious actor's email account. The researcher demonstrated that he could get a slew of authentication tokens, including one for service.flow.microsoft.com, which would allow a malicious actor to create their own Power Automate flows, effectively giving them access to the victim's Outlook, Teams, OneDrive, Sharepoint, and more. This allows for a wide variety of exploitation.
In his paper, the researcher demonstrated how to extract files from a victim's OneDrive and mentioned that this gives the actor the ability to send messages on behalf of the victim through Teams. If exploited, this could have allowed the actor to conduct very convincing spear-phishing and Business Communication Compromise attacks on the victim's Teams network.
As we saw in the recent attack on EA Games, social engineering attempts within a collaboration network can be devastating and are more effective based on the trust that one gives to what is supposed to be a private communications channel. For example, a fraudulent Teams message from an executive's Slack asking for a wire transfer, sensitive documentation, or just a phone number to continue the attack through would likely have a much higher rate of success than an email utilizing the same messaging. Additionally, while these messages may get flagged through email (depending on what protections are in place), messages in Teams and other cloud-based collaboration channels have little to no rules in place to detect or alert malicious behavior of this kind.
As zero-day vulnerabilities in third-party collaboration tools like this are found, it is essential to build out monitoring and defense capabilities to catch any exploitation that may occur. While a researcher responsibly disclosed this zero-day, the next one may be discovered by a threat actor. In that instance, defenders do not get the benefit of knowledge or a patch and instead have to rely on their own capabilities to detect and respond to malicious activity on these platforms.
Guide: Learn more how to secure collaboration tools
At SafeGuard Cyber, our mission is to help defenders establish and consolidate visibility for their various collaboration and digital communication tools, apply consistent analysis to these data streams, and detect malicious activity such as social engineering, malware, data exfiltration attempts, and insider threats. You can request a demo to learn more on how SafeGuard Cyber can secure your cloud-based communications.