"Token-Mining Weakness in Microsoft Teams Makes for Perfect Phish"

According to the security firm Vectra, attackers who gain initial access to a victim's network can expand their reach by using access tokens from other Microsoft Teams users to impersonate employees and exploit their trust. The firm released an advisory revealing that Microsoft Teams stores authentication tokens in an unencrypted format, allowing any user to access the secret file without requiring special permissions. An attacker with local or remote system access can steal the credentials of any users, whether online or offline, and impersonate them. They can impersonate the user through any associated feature, such as Skype, and bypass multi-factor authentication (MFA). According to Connor Peoples, security architect at Vectra, the flaw allows attackers to move much more easily through a company's network, enabling multiple forms of attacks, including data tampering, spear-phishing, identity compromise, and more. By selectively destroying, exfiltrating, or engaging in targeted phishing attacks, attackers can tamper with legitimate communications within an organization. Vectra discovered the problem while investigating Microsoft Teams on behalf of a client, looking for ways to delete inactive users, which Teams does not usually allow. Instead, the researchers discovered a file that stored access tokens in cleartext, allowing them to connect to Skype and Outlook via their Application Programming Interfaces (APIs). This article continues to discuss the token-mining vulnerability discovered in Microsoft Teams. 

Dark Reading reports "Token-Mining Weakness in Microsoft Teams Makes for Perfect Phish"