A severe vulnerability discovered by Tenable Research could have seriously impacted Microsoft Teams users.

The vulnerability found on the chat service could have given attackers control over Microsoft Teams users’ accounts, Tenable said. Attackers could access chat history, read and send emails on a victim’s behalf, and access files in their OneDrive storage.

According to Microsoft, the number of active daily Microsoft Teams users reached 145 million in March. That’s roughly a 90% increase in the last 12 months. The surge in remote work is largely driving the growth. Many enterprises rushed to make cloud-based communication and collaboration as simple as possible.

Evan Grant is a staff research engineer at Tenable. He said it’s luck to a certain degree that the vulnerability wasn’t exploited before Tenable discovered it and Microsoft implemented its solution.

Insufficient Validation

Microsoft Teams has a default feature allowing users to launch applications as a tab within any team they belong to. Organizations using Office 365 or Microsoft Teams with a Business Basic license or higher can also launch Microsoft Power Apps within these tabs.

Tenable discovered that content loaded into these Power Apps tabs was governed by an improperly anchored regular expression. That is, the validation mechanism doesn’t properly confirm that the content in the tab comes from a trusted source. That opens a gateway for attackers.

Tenable’s Evan Grant

“We were exploring Microsoft Teams functionality, looking for potential bugs, and the Microsoft Power Apps tabs caught our attention,” Grant said. “We hadn’t seen it discussed before and we were interested in how Power Apps tabs were integrated into the Teams environment.”

The vulnerability itself is very simple, he said. However, it’s more serious based on its context.

“The flaw allows an attacker to potentially do a lot of harm simply because of how powerful the Power Apps platform is, and because there is an assumed level of trust between Microsoft Teams and the Power Apps tabs it presents to users,” Grant said.

By exploiting the flaw, attackers could have obtained potentially sensitive information, according to Tenable. In addition, they could have conducted further sophisticated social engineering attacks by impersonating an end-user.

Possible compromised information includes internal-only corporate documents, personally identifiable information (PII) or anything else transmitted via chat, email, or shared through OneDrive or SharePoint.

Small Bugs Can Escalate Into Big Ones

Microsoft has implemented a solution to this issue; therefore, end users don’t need to do anything.

“The exploitation of this vulnerability is admittedly not straightforward, and requires the attacker to already be a member of the organization they are attacking,” Grant said. “In addition, a bad actor needs to have an understanding of how the Microsoft Power Apps platform can be abused once they’ve stolen authorization tokens.”

This particular vulnerability no longer poses a threat to Microsoft Teams users, Grant said. However, it does demonstrate how quickly other small bugs may escalate into the theft of large amounts of user data.

Earlier this year, Tenable reported common vulnerabilities and exposures (CVEs), or publicly known security vulnerabilities, jumped again last year. This led to some of the worst-ever cyberattacks.