Table of Contents
Phishing Attacks Against Teams
A March 14 article called Wishing: Webhook Phishing in Teams published by Black Hills Information Security discusses the potential malicious use of incoming webhooks for Teams channels. There’s a lot to read in the article and Black Hills say that they disclosed the issue described to Microsoft in January 2024. Apparently, the Microsoft Security Response Center (MSRC) closed the issue without a fix. But as reported below, some changes appear to be in progress to mitigate the problem by making the incoming webhook connector into a Teams app and limiting access to team owners.
The incoming webhook connector is one of many connectors supported by Teams. Incoming webhook connectors import snippets of information from external sources and post them as new conversations in the channel that hosts the connector.
The intent behind posting items is to inform team members about news to either spark a conversation within a team or to encourage users to follow up and discover more information about a topic, possibly by following a link in an adaptive card. Like any team message, the size of what a connector can post to a channel is limited to 28 KB.
When a team owner configures an incoming webhook connector for a channel, Teams generates a target URL for apps to post to. A channel can host multiple instances of the incoming webhook connector, each with its own URL. Webhook connectors do not use authentication, but messages posted through these connectors must follow a specific format.
The article describes how Black Hills built a module in the GraphRunner tool (available from GitHub) to fetch connector information from Teams channels. No public Graph API is available to retrieve connector information, so reverse engineering was necessary to track down the API endpoints and required tokens. The work traversed some artifacts of Teams history, such as the references to Skype Spaces and the outcome is a list of channels with URIs configured for the incoming web connector. The article also covers details about creating new incoming webhook connectors for channels.
Looks Like Microsoft is Changing the Way Inbound Webhook Connectors Work
Playing around with incoming webhooks using code like that described in the article about posting new Microsoft 365 roadmap items to Teams channels, I discovered that although it was possible to configure an incoming webhook for a channel using the new Teams, attempts to post to the URI failed with this error:
Invoke-RestMethod: Microsoft.Substrate.Connectors.Store.Exceptions.ExchangeInvalidGroupIdException: Exception of type 'Microsoft.Substrate.Connectors.Store.Exceptions.ExchangeInvalidGroupIdException' was thrown. ErrorCode:ErrorInvalidGroup
The error text implies that Teams couldn’t find the right group (team) to post to. However, if I configured the incoming webhook connector using the old Teams, the URI generated worked. Curiously, the URI generated by Teams classic for the connector uses one of the fallback domains for my tenant (https://derrigimlagh.webhook.office.com/) rather than the usual. (https://microsoft.webhook.office.com/). This implies that work is ongoing to update how Teams uses the incoming webhook connector and that Microsoft hasn’t implemented the code in Teams classic because the client is due to retire on March 31.
Another difference I noted is that a Teams app is now called the first time an owner configures the incoming webhook connector in a team (Figure 1). Management of the app is like any other Teams app, and it can be restricted to specific users via app permission policies.
It would be normal for a security review to happen during the transition to a new version of a client. It seems like this might be happening as Microsoft prepares to make the Teams 2.1 client the norm.
Spamming Team Channel Email Addresses
Next, the discussion moves to email addresses for team channels. Email sent to these addresses do not go through the regular email environment for tenants and are handled by a special infrastructure created for Teams. However, the traffic still goes through Exchange Online Protection.
Channel email addresses recently created limit acceptance of inbound email to team members. It’s also possible to limit receipt to a specified list of domains. Older channels are likely to have the older default, which allows the channel to receive email from anywhere (Figure 2).
It’s probably a good idea to check channels to make sure that they’re not open for anyone to send to. Here’s an article about how to report channels with email addresses.
The article says that “Microsoft claims that this feature needs to be enabled by the Administrator, however, through testing, we can see this is not the case.” My testing shows that the controls on sending email to channels implemented in the Teams admin center work (Figure 3).
With acceptance of channel email set to a limited number of domains, messages from other domains failed with the error:
The administrator has restricted permissions to send emails to this channel.
The authors of the report advise those who want to try out the phishing techniques to sign up for a free developer tenant. This kind of activity might be the reason why Microsoft has limited access to these tenants to those with a Visual Studio Enterprise license.
Check Your Tenant
The results I report here are accurate as of March 15, 2024. Given that it seems like some changes are happening to secure Teams better, so it’s wise to do your own tests to understand the current state of play in your tenant. As is always the case, attackers persist in seeking holes to exploit and things might change in the future in response. As good practice, tenant administrators should understand how information flows into Teams from external sources. It’s easy to control email to channels but the lack of a Graph API to report connectors makes that aspect harder. Let’s hope that Microsoft provides such an API and continues to tighten security around Teams.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.