Teams Spirit: How Abnormal Protects Microsoft Teams From Advanced Threats

Microsoft Teams is one of the most widely used business communication platforms outside of email with roughly 300 million active users.

As an add-on to Microsoft 365, it provides internal videoconferencing and chat alongside Office email and collaboration apps, rounding out a robust suite of productivity tools.

And while Microsoft values security in all of its products, the inherently trustworthy nature of Teams and the high volume of messages and user traffic invites risk—and security leaders are taking notice.

If you’ve been following along with previous articles in this series, these stats may be nothing new, but for those who are just tuning in, recent research from ESG found 89% of organizations report seeing at least one attack on collaboration apps like Microsoft Teams, and 52% have dealt with a multi-channel attack that included these alternate communication apps.

Compounding these issues, we often hear from our customers that they lack visibility into these non-email collaboration and communication platforms, which makes sense since these are relatively new tools with a relatively nascent threat landscape—but one that is growing quickly.

The Teams threat landscape can be divided into two camps: attacks that target or directly involve Teams and attacks that target Microsoft 365 users, which can in turn compromise Teams.

There have been a variety of articles citing cases in 2022 and as recently as last month where attackers with access to an organization’s Teams tenant—whether using compromised third-party or internal accounts—sent phishing messages with malicious attachments through the chat platform.

While there has been a plethora of research from analysts and other industry experts citing the potential for these types of internal phishing attacks via Teams, the risk has jumped from theory straight into practice.

And with Teams being part of the larger Microsoft 365 platform, there are risks beyond the sole Teams application. A compromised account is not solely a threat to Teams but to the entire cloud office platform, with Teams activity being a series of events in a larger investigation. A user having their Outlook credentials compromised via phishing email, for example, has potentially also had their Teams, Sharepoint, and general Microsoft 365 account compromised as well. This is not a case of attackers needing to move laterally to compromise Teams; once a threat actor has gained access to the Microsoft 365 platform, typically all of the applications on that platform are under attack. Or worse, Teams suddenly becomes an additional weapon for further compromise.

Most employees, regardless of organization, typically have some understanding of email phishing and are suspicious of unusual email messages. If a threat actor manages to compromise an account, an effective next step would be to target users on a platform they trust—a platform where an unexpected message from a coworker may not immediately raise a red flag.

As the Microsoft 365 user count increases, Teams will continue to be an attractive target for threat actors. Microsoft regularly patches Teams vulnerabilities and has native security tools to secure the platform, but attackers are clever, and organizations need to find ways to stay one step ahead.

There are three angles to consider when looking for threats in Threats in Microsoft Teams:

• Has there been unusual authentication or session activity for any one user in Microsoft 365?

• Have any user privileges changed, such as a user elevated to an administrator?

• Has a user or third-party collaborator with access to Teams sent any suspicious or outright malicious messages?

All of these have varying levels of risk, of course, but understanding when these events occur is a critical step in preventing a catastrophic breach or further lateral movement by threat actors.

To address these three types of risk, Abnormal recently released a suite of email-like security products alongside its solutions for Microsoft 365, encompassing messaging security, account takeover protection, and user posture management. These products use Abnormal’s advanced detection capabilities—informed by data ingested from Microsoft 365, Azure Active Directory, and Teams—to detect threats and build comprehensive case files to support in-depth investigation.

Starting with Account Takeover Protection, Abnormal customers can analyze signals across not only Microsoft Teams and authentication platforms like Okta or Azure AD but activity occurring across the Microsoft 365 environment—using Abnormal’s existing Email Account Takeover Protection to detect suspicious email activity for a given user, impossible travel, and other abnormal behaviors that could indicate account compromise.

If that same user suddenly gains administrative access to Microsoft 365—and in this way, access to Teams—Abnormal’s Email Security Posture Management capabilities will notify Abnormal admins of the change to that Microsoft 365 user’s privileges and provide contextual insights and next step guides to take downstream corrective action.

After these proactive measures, what if that user sends a message with a malicious link, attempting to execute an internal Teams phishing campaign? Email-Like Messaging Security can detect that threat and immediately raise a red flag to Abnormal administrators. The product also monitors outside vendors with access to a workspace and notifies Abnormal admins when they are sending malicious links in Teams.

Helping organizations protect more and secure the future, begins by solving the visibility and resource gaps when it comes to detecting threats in Teams. With these new products, we are paving the way—ensuring that our customers stay protected from multi-channel and email-like attacks no matter where they initiate.

Interested in learning more about how Abnormal protects Teams?