Help Desks Don’t Use Federated Chat – But Attackers Do

A recent ReliaQuest report describes how attackers have started to use social engineering to reach out to Teams users via federated chat (1-to-1 external access) using display names crafted to make the users believe that they’re communicating with help desk staff. It’s a curious development in some respects because Microsoft clamped down on misuse of Teams federated chat from trial tenants in June 2024. Tenants now need paid licenses to use federated chat, with the idea being that if someone hands over a credit card to pay for subscriptions, they’re less likely to be an attacker.

The new block had some unexpected consequences. Since its implementation, people have tried to find ways around the block through various licensing arrangements that we don’t need to discuss in detail here. Obviously, the attackers must not be using a trial tenant.

Known Weaknesses for Attackers to Exploit

Security researchers first highlighted the potential weakness in federated chat some years ago through the GIFShell and JumpSec exploits, both of which were more of a research demonstration rather than a real attack.

Even so, the demonstrations were sufficient to cause some to question Microsoft’s default configuration for Teams which allows open access for federated chat with any other Microsoft 365 tenant that supports Teams. Given that Teams has 320 million monthly active users (a number that Microsoft hasn’t changed since October 2023), that figure implies that connections are available to most other Microsoft 365 tenants.

Open External Access for Teams is Asking for Trouble

I’m on record as saying that I don’t think it is wise for tenants to allow open access for federated chat. It seems better to secure external access by limiting federated connections to a set of known domains. Using an allow list for external access will block attempts to connect from unexpected tenants, but it comes with a price: the requirement to maintain the allow list.

PowerShell updates can reduce the work required to maintain the allow list. For instance, a good start is to populate the allow list with the domains belonging to guest accounts known to the tenant. Another approach is to find the tenants that users already communicate with using federated chat and build the allow list from those domains.

Teams is careful about warning users when connections come in from unknown sources. Sometimes, it even warns of inbound federated chat from a very well-known source, such as the warning shown in Figure 1 when Tim McMichael from Microsoft wanted to chat with me.

The warnings for unexpected contacts coming in through federated chat will be strengthened when Microsoft rolls out Brand impersonation protection for Teams messaging (see message center notification MC910976, last updated 27 November 2024, Microsoft 365 roadmap item 421190).

Brand impersonation protection means that users will be alerted if a new connection comes in from an external domain that impersonates a brand “commonly targeted by phishing attacks.” When this happens, Microsoft signals the potential risk and advises the user to proceed with caution and they’ll be forced to preview the message before deciding to accept or block the contact. In some respects, this is like what happens when Outlook alerts users when the email address from a new sender resembles the email address of someone that they already communicate with.

Brand Impersonation Block Rolling Out

Targeted release tenants already have brand impersonation protection. Microsoft says that they expect to complete worldwide deployment by mid-December 2024. Warnings about heightened risk are very helpful but users can still choose to go ahead and accept the connection. That’s why I still think it’s better to operate a known allow list for Teams external access.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.