Red Teaming Teams

Mikko Koivunen

2021/03/27

The title may be a bit exaggerated, but it just sounded too good …

I’ve been part of many Microsoft Teams deployments, and during these projects we always ask the question “how do we secure our data, identities and endpoints?”. Even though the assume breach principle guides the answers, the mental focus people usually have is on configuration hardening and on having the blue team view.

But now I thought of taking the opposite approach for this for a bit. Assuming I’ve gained access to an organizations Teams, how can I intentionally abuse my privileges? And if I do so, will I be detected?

Maybe I will also add some detection and hunting tips for Azure Sentinel here later. But for now, here are some things I might try if I was a malicious insider or an attacker!

Can I join a Team I am not supposed to?

If I browse around the organizations public Team list, can I find and join a Team that maybe should be restricted? Will anyone ask what I am doing if I just join random Teams to see what is in them?

Do I have access to things I am not supposed to?

It is not uncommon for people to store confidential data in files, notebooks and the like, even in Teams that are available to a large audience. By browsing data in Teams I have access to, will I find things I should not see?

Can I fool people to share me confidential data?

This could take many forms. I could just send people messages and ask to be included in discussions, to share data or ask to be included in private Teams. I could even try to set up a new Team, pretending that it represents some official corporate function and fool people to share confidential data there.

Can I dump data out of Teams?

I want to get data from the organization to my machine or cloud storage. There are many methods for this; I could use Sharepoint sharing features, sync the files locally, download the files or even install an Application to share the data. If I do these and transfer data, will someone detect it?

Can I join meetings to eavesdrop, maybe even anonymously?

If I have an invitation to a meeting - or I see a meeting being started from a Teams channel or chat - can I listen in without being kicked out? If I forward the invitation to an external address or use a dial-in number, can I attend without revealing my identity?

Can I remove access from other people?

If I have Owner access to a Team, I can remove people or demote them to Member status, thus preventing them from either accessing or managing the team. Will they notice this? And if not, can I use this situation for my benefit as they may now have limited visiblity for important data, activities and events.

Many do not consider data in Teams to be a possible threat, at least not in the same way as e-mail attachments or links. If I have access to Teams, posting links and uploading files might be an attractive channel for distributing malware. Can I do this? Will people fall for it and get infected?

Can I invite myself as a Guest for backup access?

By doing all these suspiscious activities, it is likely that I will loose access at some point. Can I make sure I have persistence by inviting myself as a Guest user with one or more external e-mail addresses to keep access, even if I loose my main account?