Gone Tishing: Abusing Microsoft Teams Security Misconfigurations for Webhook Hijacking and Other Shenanigans

[Music] um thank you for coming to my talk today titled gone tiing it's about abusing Microsoft teams misconfigurations for webhook hijacking and other Shenanigans so let's get started a little about a little bit about me my name's Jessa my pronouns are they them I'm a red teamer in healthcare I do primarily pen testing for web apps and apis but um I'm also into offensive Cloud security and iot um specifically for iot I dive into medical devices and other things um I'm also really into Defcon badge life so when I talk about iot that's a little bit of it in my free time I'm a yoga instructor and Runner and I'm also a dog parent so since I'm

bringing up my dog I want to show a picture of him and if you like my talk today please give me a follow on Twitter or follow me on LinkedIn for the agenda we're going to talk about the background first what parts of Microsoft teams causes vulnerability specifically the connector's functionality and the web Hooks and how they're integrated together to cause this vulnerability and then getting specific into what the vulnerability is and then how we can exploit it by hijacking the web hook and then creating a fishing P fishing credential Harvester page and sending it within a internal teams Channel and then we're going to talk about detection and prevention and how your company can spot

fishing messages like this and how it can be prevented in the first place and then kind of going into a conclusion of why do a teams me teams message fishing engagement versus your standard fishing email to test your employees security awareness so on the screen here is a teams connector team connectors are a functionality within teams that allow you to integrate third-party applications into your teams environment this is very commonly used for developers when they want to send notifications from like GitHub or service now in real time into their team's channel to let their team know hey something was pushed a GitHub or a service is down um so to provide that real time data notifications um quickly

and easily um to the left here you'll see just an example of how you can access those connectors within a test teams Channel and then to the right are just different options so there's the web hooks but then there's so many different things that can be integrated via a web via a teams connector so these teams connectors utilize something called Web Hooks and web hooks are primarily what we're going to be talking about today so these web hooks are kind of like secret tokens that when you set up a connector to communicate with something like GitHub or service now um these web hooks basically tell GitHub or the third party application that you're communicating with that specific channel so once you

have that web hook you're basically in and there's no other authentication for it so the more formal definition would be it's a userdefined HTTP call pack that communicates real-time data into teams so like I said before if someone pushed to GitHub that would send that push right into team so the development team will know and then it allows external web services to interact with channel so again like what I said before it allows these applications to communicate within teams with no other authentication and then popular use cases would be development developer system teams um for maintenance notifications with third-party applications like jins bit bucket or service now so on the screen here is just an example

of a configured web Hut connector within teams so it says third party notification but this can be any application you'd like to integrate it with and then you can add an image but the really interesting thing here is the vew web hook link um obviously I blocked it out but this would be the bread and butter here so the view web hook here you would go in and view it and then you can steal it and do some things with

it so what would be the vulnerability here who can give me any any ideas no the answer is in the meme yes default configurations awesome good job so in Microsoft teams there's the default configuration that anyone can view these web hooks as long as they're in the team's environment so say there's a development not a development Channel and they're sending GitHub notifications that they're I don't know they're working on like a last minute prod application and people are clicking these links clicking these links to take them to GitHub so they can view whatever changes are being made as long as I have um have access to that company's teams I'm actually able to view that in the

the configured web hook so I can go in and view that token even if I'm someone who's not a developer and not part of that team and right here is just a gif of how you can go in and steal that web hook so I'll wait till it starts again to kind of talk through

it but yeah basically going into any test Channel with configured web Hooks and then scrolling down clicking managed and then they can just scroll down and steal the URL I did not include the token in the screenshot but if you want to see a full page of what this would look like um going back to the slide six that I kind of showed before would be the full page of what it would look like so now I stole the token so now what can I do so for this instance I decided to make a credential Harvester from the token I stole in hopes that I could steal more credentials from a

company and how I first did this is I used Postman and where that hijacked web hook um text is was where I put the token so when I put the token into that post that sent it directly into teams without any of the authentication like what I said before and then I created a card that was basically the outline for the message I wanted to send into teams um a really fun fact is Microsoft provides tons of templates within their documentation so it's super easy to copy and paste this and that's what developers sometimes do um and then I created a fishing landing page um so that little red box is where I put it

and I'm going to go into a little bit about how I created that next um but then the lower screenshot is just how it looked like um within teams and then you'll notice that there's no notification that it's coming from an external Source there's no Flags so if I was a developer I would look at it and just think it was like any other notification and then I'd click

it and then the card I designed was a service now notification so then this is an example of how the credential Harvester looked like so I decided to go with a Microsoft signin page um so pretty simple um a really cool thing about this instance was since a lot of companies use use SSO once they submit these credentials into a fake landing page um it actually redirects them to the legitimate application that they wanted to access so that decreases detection um how I created this is I used an open source project called goofish um goish is really awesome it's for fishing engagements um and originally it's when I did it it was for um specifically for email

fishing but since it was open source I was able to go in and configure it to fit my needs um goish is really cool because it allows you to create and design the landing page pretty easily and it also tracks the data of um the people who how many people would click the link um who submitted credentials and then if you want to it actually shows what the credal IAL S I would not recommend doing that because it does save it in clear text so if you're doing this in a companying environment you probably do not want to be saving credentials um in clear text um but yeah I also configured it to show me IPS so even if a employee

didn't submit their credentials they just clicked the link I was still able to figure out who that employee was based on the IP they submitted which was pretty cool so after finding a successful attack Vector for fishing now what do I do I wait so since this was applic since these were messages that were being sent in real time um there was a lot being sent pretty frequently so it's pretty hard if there's multiple messages if you just send one to get a lot of data back so um you kind of have to send the message and see what type of response you get um so for this instance I sent the first message that looked exactly

like a um notification um didn't get too much feedback so I sent it again and then seeing what the feedback I got was and then maybe sending it at an odd time and then um eventually I added misspellings to get people to kind of pick up on what was going on but um that's a really cool thing about the these type of engagements is you can kind of um interact with your developers and other channel members that you're trying to fish based on their behavior and then just getting into attack solutions to stop this from getting worse or stop a huge fishing issue at your company um to just getting into the detection it's very similar to a fishing

email so in fishing emails they usually tell employees to look for misspellings or check the certificate or check the domain where the link is sending them to to see if it's a legitimate so the detection is very very similar but then getting into prevention um teaching your employees that fishing doesn't just happen in email it can happen in texts it can happen in calls and it can happen in Microsoft teams um a lot of employees that may not have that security awareness when expect teams to be something like this to happen in teams um so just letting them know that this can definitely happen and then also including a see something say something protocol at your company so usually in a

fishing um email situation it's really easy to report that message but then if creating this type of reporting would allow your employee to tell the security company or the security team um pretty easily if they do see something that's suspicious um and that would just allow them to respond quicker and more efficiently to an issue and then also watching for Comm misconfigurations um this was a default configuration that wasn't thought about so it could have been prevented altogether if the if the person who configured um teams just made sure that there was only the right people who needed to see this could see it um so thinking about that element of lease privilege here that maybe someone from a

whole different team doesn't need to see the service now maintenance Channel configurations and then finally just kind of getting into the differences between doing an email Outlook um fishing engagement versus a teams fishing engagement um so just some similarities the me the messages do look similar like what I said before um the types of detection and then both can be used for security awareness within your company but then some differences um to do a fishing engagement within Outlook all you really need is the email domain so all an attacker really needs to know is is it like first name last name at company.com or first name. last name that's really all they need to know to

do a send a fishing email for but for teams it's a little more complicated they do need to have stolen credentials to get into the team's environment and then also detection is really um a little bit different um for emails versus teams so Outlook actually notifies someone when they receive an email from an exp internal source so it makes it a lot easier to be like hey this looks kind of weird but teams um it doesn't at all and this is especially true if you create a landing page with a certificate to avoid any of those browser warnings that might come up um when they click the link and then for teams fishing it's detection can be a lot less likely

especially in scenarios where it's a lot of notifications are being sent to one channel so keeping that in mind and it usually takes a lot longer because you do have to find the configuration and then create the message and then create the fishing page so there's a little bit more of a setup that goes into a teams messaging fishing engagement for your company and then just getting into why get creative with a red team fishing engagement in the first place you do get to find other vulnerabilities so again for this instance we get did get to find that misconfiguration which was super interesting that was just open um you do get to test unconventional unconventional reporting procedures so

you get to test hey if an employee sees something that's kind of weird how would they tell the security team and how would it be fixed um so you do get to test those elements of your security at your company and then you also get to learn more about potential open source tools so I got to do the research to find what goldish was and how to customize it to fit my needs um and I did get to learn a lot more about Postman and writing those um writing that message call into teams and then you also just to get you just get to challenge your red team so say if your red team's done with their tests for the

year and if they're looking for something to do this is a really great um opportunity for them to give them an opportunity to learn and then also kind of mess around with the different configurations in your company's environment so moving on to Q&A thank you so much for listening today [Applause] yes um that's a really good question I would not say I didn't find any um anything that was super specific to teams fishing when I was doing this research I did find research based on like the misconfigured web hooks so that's all I really found and then I used that to conduct this engagement yeah so with the open source tool that I used it did give me um the different

clicks um when I first started I didn't really get too many which told me that the developers weren't like really looking at every single notification so that's what got me to start introducing misspellings or to make it look more suspicious and then as soon as they detected it there was like tons of feedback into the channel so they weren't clicking the link but they were actually um telling each other like hey this is what's going on this is the certificate that I'm seeing so it's really cool to see the security awareness of the team come into play and them communicating together to spot this fish and then seeing how they reported it to us um knowing that this was a

first time engagement yeah what made you go what made you go down that rabbit hole of like going through teams and looking for holes to poke into yeah good um good question so I was given the task to create a red team engagement and I was told about the web hook so that was the information I was given um I was given a little bit of help from my team but overall it was just here's something we heard about and what can we do about it so I was curious and when you as you were doing the engagement um so you know there there's misconfiguration here or default configuration and you already have user credentials did you see any

other place where the web hooks were leaked to where maybe an attacker who is just has access to maybe Network traffic could find these web Hooks and do this or is it really kind of a you have to have a privileged account and you know misconfiguration together um for this instance I did need to have credentials to access teams but it did not have to be a privileged account I just could be any um user but that's a good future test just quick question about the the the mitigation is the misconfiguration global or per web hook um that's a good question it's I believe it's per organization so the organization can decide um who can view whatever in each

channel so it's I'm not 100% sure about this but it could be like the person who configured the web Hook is the only person who's able to view it versus everyone who is in the organization do you have any uh tools for doing statistical analysis with this like I've never used Go Fish before um so I'm not as familiar with it but I'm wondering like how you're able to analyze the data to like determine you know success from failure who clicks and maybe what reasons uh and how you get the feedback from your users yeah I love this question so in goish it generates a CSV file so what I did is I actually wrote a

short python script to do it for me um so there's not um there is a functionality within goish that kind of shows you there's like in the UI where you can see um but I wanted to process my own data so I wrote a python script and I used like pandas or something but it was pretty like 10 lines or so so it's pretty [Music] simple

so the uh configuration you're talking about sounded like a um somebody had taken privileged uh account information or Insider threat the one I'm kind of curious about is did you do any testing with people who have access to a teams meeting uh because it does create a channel who are outside the company and I'm thinking like I've done teams meetings for interviews before and having the ability to see that information I also really love that question um that is something I'm doing in my research right now to see um so I am not sure but it's something that I am looking at currently right now so yeah cool well thank [Applause] [Music] you