Hackers exploited Microsoft Teams bugs for months

Microsoft Teams bugs existing since March will not get additional patches

Flaws allowing phishing, uncovered in Microsft Teams, left the platform vulnerable for months

Microsoft Teams platform was exposed to cybercriminals since the beginning of March. The issue was addressed after security specialists discovered four vulnerabilities leading to Server-Side Request Forgery (SSRF), URL preview spoofing, IP address leak (Android), and denial of service (DoS) dubbed Message of Death (Android) threats. At first, it seemed that Microsoft took things seriously and investigated vulnerability reports.^[1]

Now it is shared, that company won't fix security flaws impacting Microsoft Teams' link preview feature. Of all bugs, only one – a bug allowing attackers to leak Android IP addresses — appears to have been patched by the company, while the denial-of-service (DoS) flaw will be considered in a future version of the product. The lack of attention to serious security matters baffles researchers and experts.

It seems that discovered threats did not cause serious harm, however, Microsoft's reaction is lacking. Positive Security's co-founder Fabian Bräunlein, the one who initially discovered the flaws, says that Microsoft seems to does not have the willingness or resources to protect its users from threats.^[2] It is surprising as during the recent time's Teams usage reached the news records.

Microsoft Teams is a collaboration tool that helps people working in different geographic locations work together online. It's not surprising that during the pandemic the tool became useful and relevant. Teams are used for business, work conferences, and meetings as well as for education or private purposes. No doubt that crime actors gathered platforms' popularity and that's why they chose it as their target.

Some bugs are more dangerous than others

Microsoft categorized the discovered flaws and some of them were labeled as not serious enough. For instance, the URL preview spoofing bug could be used by hackers for phishing attacks or hiding malicious but by Microsoft, it was deemed to not pose any danger. However, this issue can be dealt with using Defender for Office 365 Safe Links protection to safeguard users from threats.

Another issue could be viewed as even more dangerous. The SSRF vulnerability could allow hackers to leak information from Microsoft’s local network. That means private data from personal work meetings and conferences or even private file sharing. The flaw could be used for internal port scanning and sending HTTP-based exploits to the discovered web services too.^[3]

With DoS, bug hackers could be sending messages to Teams users via the Android app with fake links. The link will crash and a malicious message will come on screen. Another flaw, the IP address bug, was fixed by the company. The flaw could have led to intercepted messages that would lead to a non-Microsoft domain. However, as of right now, the issue seems to be gone away.

Bad year for Microsoft's security

In 2021 Microsoft had more than enough issues with security. Active Directory, Exchange, and Azure were among a few impacted companies' services.^[4] Microsoft’s Windows Print Spooler vulnerability was talked about widely and led to question cybersecurity issues of the newest Windows 11. Yet, on a few occasions, Microsoft failed to directly acknowledge the problems and issues.

Overall, cybersecurity issues became more common in 2021. However, various stats and surveys showed that users became more aware of the potential threats as about 9 in 10 Americans are at least somewhat concerned about hacking that involves their personal information or financial institutions.^[5] Many experts do point out that cyber threats are becoming more systematic in their targeting, so awareness is a must.