Magazine Button
Tenable research finds serious vulnerability in Microsoft Teams

Tenable research finds serious vulnerability in Microsoft Teams

Enterprise SecurityResearchTop Stories

Tenable has disclosed details of a serious vulnerability in Microsoft Teams discovered by its Zero-Day Research Team. By abusing PowerApps functionality (a separate product used within Teams for building and using custom business apps), threat actors could gain persistent read/write access to a victim user’s email, Teams chats, OneDrive, Sharepoint and a variety of other services by way of a malicious Microsoft Teams tab and Power Automate flows.

According to Microsoft, Teams reached 145 million daily active users in March 2021, roughly a 90% increase in the last 12 months. The growth is largely driven by a surge in remote work and distance learning, with many organisations rushing to make cloud-based communication and collaboration as simple as possible.

“Despite its simplicity, this vulnerability poses a significant risk as it could be leveraged to launch a number of different attacks across a variety of services, potentially exposing sensitive files and conversations, or to allow an attacker to masquerade as other users and perform actions on their behalf,” said Evan Grant, Staff Research Engineer at Tenable. “Given the number of access tokens this vulnerability exposes, there are likely to be other creative and serious potential attacks not explored in our proofs-of-concept.”

Exploit of this vulnerability is limited to authenticated users within a Teams organisation who have the ability to create Power Apps tabs, meaning it can’t be exploited by an untrusted/unauthenticated attacker. However, the permission to create these tabs is enabled by default, meaning a third-party contractor, disgruntled employee, or even an ex-employee whose access hasn’t been revoked could launch an attack. At this time there is no evidence that this vulnerability has been exploited in the wild. Microsoft has implemented a solution to this issue, with no further action needed from end-users.

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive