Microsoft Teams Phishing Exploit

The phishing exploit in Microsoft Teams, as revealed by Max Corbridge and Tom Ellson from JUMPSEC’s Red Team, is a significant and subtle vulnerability inherent in the platform’s default configuration. This means most organizations using Microsoft Teams are vulnerable unless they have taken explicit steps to prevent it. The exploit takes advantage of the feature that allows communication between different tenants in Teams, enabling malicious actors to impersonate trusted external contacts and launch devastating phishing attacks.

This blog details what exactly the exploit is and how to implement proactive measures based on your unique Teams instance that will minimize risk without causing any surprise disruptions to business operations. With complete visibility and control of their Microsoft application suite, Obsidian customers can easily leverage our platform to limit the likelihood and blast radius of a security incident related to this vulnerability.

Understanding the Microsoft Teams Exploit

This Teams phishing exploit is particularly concerning due to the potentially damaging level of access it provides and the subtle nature which makes it difficult to detect. The default configuration of Teams allows tenants to communicate freely, even without mutual allowance. This enables an external party to contact your organization, potentially impersonating trusted individuals or entities in order to carry out a phishing attack. Unless explicit steps are taken to mitigate this vulnerability, the danger will be present for organizations leveraging Teams.

Mitigating the Exploit with Microsoft Teams Settings

The appropriate mitigation method will be dependent on your organization’s unique risk tolerance levels and Teams use cases. It boils down to a simple question – do you need communication with external tenants for any reason?

• If no: block this setting for your organization
• If yes: restrict this setting to selective use cases

Selective Accessibility: Control external domain communication

For organizations requiring external tenant communication but only with select domains, a strategy of selective accessibility can help minimize risks without slowing down business.

To configure your settings:

• Go to the Microsoft Teams Admin Center.
• Select ‘Users‘ followed by ‘External Access‘.
• Locate the “Choose which external domains your users have access to” -> “Allowed Domains” setting, which dictates the external domains your organization can interact with.
• Specify the domains with which your organization needs to communicate. This confines your network’s exposure to these approved, trusted domains only.
• Similarly, list domains you want to restrict communication under’ Blocked Domains’. This action blocks potential harmful or untrusted domains.

Streamline Your Security with Obsidian

Obsidian can support your organization in maintaining a secure Teams environment. As a leading suite of productivity applications inclusive of Teams, Microsoft 365 handles a wide variety of your organization’s critical business data, putting it at high risk for malicious attackers, insider threats, and accidental exposure. Obsidian protects Microsoft 365 by helping security teams harden configurations, manage privileged access, and identify potential threats quickly. Schedule a demo today to see for yourself.