Microsoft Teams Security
How Secure is Microsoft Teams? Over the last year, like many remote work software, Microsoft Teams saw a huge surge in both usership and revenue. Going from 20 million users in 2019, to around 115 million in the final quarter of 2020, millions of people now rely on tools like this to keep their organisations operating.
Part of the Microsoft 365 family of products, Microsoft Teams has quickly become an appealing target for hackers; though as well as this, some have questioned the security of the communication platform in terms of its default protections.
Below is an explanation of some of the security features included within the Microsoft Teams software, as well as an overview of some of the identified security risks that the platform presents, and a brief look at some past security incidents and vulnerabilities which have affected the platform; giving you a better understanding of just how secure is Microsoft Teams?
Cyber and Information Security Features
Designed and developed in compliance with the Microsoft Trustworthy Computing Security Development Lifecycle (SDL), the official Microsoft statement explains: “Microsoft Teams, as part of the Microsoft 365 and Office 365 services, follows all the security best practices and procedures such as service-level security through defence-in-depth, customer controls within the service, security hardening and operational best practices.”
The core elements of the security framework for Microsoft Teams includes Azure Active Directory (Azure AS), A Single trusted back-end repository for user accounts, meaning that user profile information is stored in Azure AD via Microsoft Graph.
Transport Later Security (TLS) and mutual TLS (MTLS) also act as a fundamental element of the security framework, encrypting instant message traffic and enabling endpoint authentication. As Microsoft explains: “Teams uses these two protocols to create the network of trusted servers and to ensure that all communications over that network are encrypted.”
- Azure Active Directory
- Transport Layer Security
- Industry Standard Authentication Protocols
Cyber Security Risks
From the outset, it is important to understand some of the more fundamental issues that may present a cyber security risk. For example, as a default, it is possible that with one click, sensitive information can be forwarded outside an organisation, either by user mistake/error, by insider threat or by attackers accessing a compromised account.
Additionally, users external to an organisation might be added to a channel, meaning that team members may accidentally share private or confidential information not realising that external members may see this information. As well as this, compromised partner accounts could be exploited by hackers to target the organisation’s end-users, while the organisation has no control over the security of their partner.
Finally, one of the foundational information or cyber security risks regarding Microsoft Teams is end-users’ willingness to share information unreservedly based on the assumption that unlike email, information shared within Microsoft Teams is not monitored or archived.
Also, it is worth noting that Microsoft Teams, by default, does not provide a great deal of protection against malicious content, as links in chats are not scanned for safety, and while files being shared are scanned, it is not done instantly and is only checking for basic issues; meaning that it is possible that malware could be accessible within a chat for hours at a time.
According to reports, Microsoft has downplayed the severity of security issues discovered back in October of last year.
Security engineer Oskars Vergeris, accused the company of failing to warn users regarding a specific flaw which would have, according to the researcher, allowed “zero click, wormable, cross-platform remote code execution.”
Apparently, in an effort to downplay the severity of the flaw (which was promptly patched), the company had classified the issue “Important, Spoofing”. A classification which the researcher describes as “one of the lowest in-scope ratings possible” for security issues, and one that does not reflect the seriousness of the flaw in question.
As the researcher explained, this vulnerability could have allowed an attacker to send or edit a message (that looks like any other) that when the relevant chat log is opened, launches code on a victim’s machine that would potentially allow access to private and sensitive information.
At the beginning of last year, Microsoft patched a bug which could have allowed attackers to target a user with a malicious .gif file, gain an authentication token and thus take over a victim’s accounts, with the .gif only needing to be seen by the user for this to happen.
In an attack vector that would have easily been spread across corporate networks, this vulnerability would have allowed attackers to harvest user accounts and steal potentially large amounts of sensitive business data.
Unearthed by security company CyberArk, researcher at the company Omer Tsarfati described the flaw as a “nightmare from a security perspective.” Adding, “Every account that could have been impacted by this vulnerability could also have been a spreading point to all other company accounts.”
“Even if an attacker doesn’t gather much information from a Teams account, they could use the account to traverse throughout an organisation. Eventually, the attacker could access all the data from your organisation Teams accounts – gathering confidential information, competitive data, secrets, passwords, private information, business plans.”
Aside from asking important questions regarding your internal processes and software packages such as How Secure is Microsoft Teams, it's important to ensure your processes are strengthened by building a secure workplace culture by building employee vigilance to potential attacks.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Best Ways To Ensure Enterprise Data Regulation guest blog by technivorz.com and information security awareness solution Hut Six Security.
Writing a Disaster Recovery Plan: information security planning blog by information security awareness solution provider Hut Six Security.
Security program policies blog by information security awareness training provider Hut Six Security.
Security awareness training for Cyber Essentials blog by information security awareness training provider Hut Six Security.
Information Security Awareness Training in 2021 blog by information security awareness training platform Hut Six Security
What are the best VPNs for work? - VPN review blog by security awareness training provider Hut Six Security.
Information Security Awareness Training and ISO 27001 blog by information security awareness training provider Hut Six Security
Information Security Resolutions for the New Year: Part Two. Information security for 2021 blog post by Hut Six Security.
Information security in 2021: blog by Information security awareness training and phishing simulation provider Hut Six Security.
ISO 27001 vs SOC 2 Certifications - what's the difference? SOC 2 is a type of audit report focusing on security controls. ISO27001 is a compliance standard focused on high level information security.