Gone Tishing: Abusing Microsoft Teams Security Misconfigurations for Webhook Hijacking and other Shenanigans

Misconfigurations are common vulnerabilities in business communication platforms that can be leveraged to build more complex security awareness trainings going beyond the classic phishing email. These concerns tend to arise from third-party components integrated within the client that provide additional communication functionalities often utilized by software teams during development. Web hooks are a specific example here that are frequently used in corporate environments to web together these third-party applications for system updates and other development notifications and are often insecure due to the client's default configurations. This talk explores how to find and abuse misconfigurations within the Microsoft Teams business communication platform for webhook hijacking and other shenanigans to test both best security practices and general employee awareness at your organization. It provides a real-world scenario of how these hooks can be stolen to conduct complex social engineering attacks to compromise corporate credentials and expose other valuable business information. It offers solutions for detection and prevention for these elevated attacks that relate to all departments outside of your security team. At the end of this discussion, you will walk away with better awareness of the vulnerabilities existing in these popular communication clients, and how they can be discovered, remediated, then prevented. You may even find a new direction to your company's next annual phishing test!