The Vectra Protect team identified a post-exploitation opportunity in August, allowing malicious actors to steal valid user credentials from Microsoft Teams.
Vectra says to achieve this, actors simply need sufficient local or remote file system access because of the user credentials’ plaintext storage on disk.
Vectra’s investigation uncovered that this plaintext credential management affected all commercial and GCC Desktop Teams clients for Windows, Mac, and Linux.
The company notes that while credential harvesting from memory is a common post-exploitation step, its findings indicate that making harvesting credentials as simple as only needing read access to the file system offers greater opportunities for attacks by giving them a very straightforward task.
Further, Vectra says it is noteworthy when stolen credentials offer an opportunity to retain user access unencumbered by otherwise pesky Multi-Factor Authentication (MFA) roadblocks.
These tokens afford attackers the means to assume the identity of the token holder for any actions available to them through the Microsoft Teams client, such as using the token for accessing Microsoft Graph API functions from an attacker’s system.
In addition, these tokens are just as valid with MFA-enabled accounts, granting attacks the ability to bypass MFA checks during ongoing use.
The investigation came about after a Vectra Protect customer complained that Microsoft Teams manages disabled identities. End users are unable to remove deactivated accounts through the UI because the Teams application needs the account to be signed in to remove it from the client.
However, users cannot do this when their user account is disabled. As a result, Vectra Protect began to look at the local configuration data within the Teams client to understand how it works, subsequently identifying the issue.
Microsoft stores these credentials so users can have a seamless sign-in experience within the desktop application.
This means that anybody who installs the Microsoft Teams client in this way is storing the credentials an attacker needs to carry out any action available to them through the Teams UI, even when Teams is shut down.
Vectra says Microsoft knows the issue exists but has indicated it is not an area needing immediate servicing.
One of the company’s biggest concerns is the significant increase in post-MFA user tokens throughout an environment because it gives malicious actors the opportunity to carry out further attacks without needing any other special permissions or advanced malware to get away with severe internal damage.
If enough machines are compromised, Vectra notes that attackers can carry out communications within an organisation, assuming complete control of those in leadership positions and using phishing techniques to convince employees to perform tasks that damage the company.
The company says until Microsoft implements an update to the Teams Desktop Application, customers should be aware and vigilant about the risks the problem poses, mitigating this by monitoring for unusual file access or modifications to file system ACLs.