In August of 2022, the team at Vectra Protect discovered a post-exploitation vulnerability in the plaintext storage disk used by Microsoft Teams while conducting research for a client. This vulnerability gives malicious actors, with either the local or remote systems access, the ability to obtain valid user credentials. Vectra discovered that the unencrypted credential management weakness affected all commercial and GCC Desktop Teams clients for Windows, Mac, and Linux.
In a blog post dated September 13, 2022, Vectra informed the public about the vulnerability and provided an example of how the hackers may exploit it.
Vectra explained that malicious actors could impersonate the user through Teams-related applications such as Skype and Outlook while bypassing multifactor authentication (MFA). With access to team-related applications, the hackers could target other employees or impersonate senior executives inside the corporation.
Connor Peoples, a security architect at Vectra, wrote, "Attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks."
The desktop application is especially susceptible to attack since it does not have "additional security safeguards to protect cookie data."
While Microsoft acknowledges the concern raised by Vectra, the corporation states, "The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network."
Given the uncertain availability of a solution in the immediate future, Vectra advises users to utilize the browser-based version of Microsoft Teams. The additional safeguards in a browser helps user avoid security vulnerabilities that could be readily exploited.