#SecTorCa: How One Malicious Message Could Exploit an Enterprise

Following the global transition to remote working that began in March of this year due to the COVID-19 pandemic, Omer Tsarfati, cybersecurity researcher at CyberArk Labs, found himself using Microsoft Teams more than ever before.

Being a security researcher, Tsarfati wanted to make sure the software he was using was actually secure – which it wasn’t. In fact, he and his teams discovered a critical flaw that could have potentially enabled an attacker to intercept messages across a company and possibly even launch broader attacks. The flaw was patched by Microsoft in April with few concrete details, however, Tsarfati explained the whole incident with new information in a session at the SecTor security conference.

Tsarfati explained that Microsoft Teams is a deeply integrated technology that connects with both Microsoft and non-Microsoft technologies. The integration with different technologies includes the use of access credentials known as OAuth tokens that authenticate the user with the given technology.

What Tsarfati and his team were able to discover was that Microsoft was using an authentication configuration approach that created a source of vulnerability, such that one malicious message could enable an attacker to gain access to multiple systems and user information.

How the Exploit Works

Tsarfati explained that one way to trigger the exploit would be to send a victim an email with a malicious link, which would then drop a cookie on the user’s system. That cookie could then read improperly configured information in Microsoft Teams to gain access ..

Support the originator by clicking the read the rest link below.