Fast and efficient collaboration is essential to today’s business, but the platforms we use to communicate with colleagues, vendors, clients, and customers can also introduce serious risks. Looking at some of the most common collaboration tools — Microsoft Teams, GitHub, Slack, and OAuth — it’s clear there are dangers presented by information sharing, as valuable as that is to business strategy.
Any of these, if not safeguarded or used inappropriately, can be a tool for attackers to gain access to your network. The best protection is to ensure you are aware of these risks and apply the appropriate modifications and policies to your organization to help prevent attackers from gaining a foothold in your organization — that also means acknowledging and understanding the threats of insider risk and data extraction.
Attackers often know your network better than you do. Chances are, they also know your data-sharing platforms and are targeting those as well. Something as simple as improper password sharing can allow a bad actor to phish their way into a company’s network and collaboration tools can present a golden opportunity.
Here are some of the most popular collaboration platforms and how to become more aware of and help mitigate the threats that can affect them.
Microsoft Teams
As defined by Microsoft, Teams “is the chat-based workspace in Office 365 that integrates all the people, content, and tools your team needs to be more engaged and effective.” Because it’s so widely used, attackers also see it as a rich platform for attack — in August of 2023, Microsoft alerted that Teams was used in targeted attacks by the threat actor Midnight Blizzard.
Attackers sent files in Teams chat that ended up being credential phishing lures, compromising Microsoft tenants by posing as technical support entities. As Microsoft noted, “Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts.” The attackers lured the Teams user to submit their approval through the Microsoft Authenticator app.
When building Teams security, first determine the level of risk your organization is willing to accept. For example, do you want Teams to be open to anonymous users or limit it strictly to internal users?
To adjust this setting, perform the following steps:
- Sign in to the Microsoft Teams admin center.
- Select Users > Guest access.
- Set Guest access to On or Off depending on your tolerance level.
If you decide that guest access is to be allowed on your network, you need to be aware of the potential for Teams to be used as a means for attack. You can improve security by deploying more phishing-resistant authentication methods, such as number matching, rather than merely allowing automatic approval of the prompt.
Next, consider implementing Conditional Access rules. This requires additional licensing to implement but may be wise, as attackers turn more and more to using the cloud as a launching point for attacks.
Conditional access rules will allow you to restrict Microsoft 365 logins by using stronger authentication techniques as well as increasing the various strengths of built-in authentication: Multifactor authentication strength, Passwordless MFA strength, and Phishing-resistant MFA strength.
You may decide to limit your Teams interactions to approved domains rather than leaving it open to new and anonymous users. And of course, educating end users only to accept files from trusted partners is crucial.
Slack
Slack is a communication platform originally used by the developer community that has since found widespread use. The risk presented by Slack is its misuse under the assumption that it is a trusted and secure venue when that is often not the case.
Like any other popular platform, Slack can be subject to native vulnerabilities as well as risks that come from third-party applications providing integration. When the site is used for developer purposes, it’s often used to store credentials or other sensitive information in an inappropriate manner. As with Teams, the platform is then used to share this sensitive information without consideration for its security.
To ensure that your Slack instance remains secure, enable two-factor authentication (2FA) to add an extra layer of security. Consider adding domain whitelisting to restrict access and monitor externally shared channels for who is allowed to have access.
Finally, ensure that you avoid granting excessive permissions and closely manage access and visibility for guest users. As with any sharing platforms, it’s good practice to ensure that you review invitations to guest users and police their level of access.
Github
Users of the software-sharing platform Github range from the general public to private industries. As a result of its open nature, it has become a repository for malicious content. While most visit to download clean code, they can be fooled by bad actors who prepare what appears to be working code and then entice users to download files that actually contain a malicious payload.
As noted by Apiro researchers, as many as 100,000 GitHub repositories in use carry malicious code that could potentially infect users.
When building and reusing code repositories, it’s imperative that you vet the code that you use. Ensure that your developer and information technology teams are aware of the dangers and have the necessary tools and education to detect any malicious code.
The stakes can be high and the impact of an infection might take months or years to surface — bad actors often look for ways to inject themselves into the supply chain of third-party tools with the intention of lying in wait until they decide it’s the right time to launch a larger attack.
OAuth
Applications often use the authentication platform of OAuth to be able to share credentials and access other services. OAuth permissions are permanent and, in some cases, can allow your users to inadvertently authorize applications they weren’t aware of.
Even if you go into the application that has enabled the OAuth permission, you may not be able to fully remove the authorization. Thus, review your Microsoft 365 mailbox authorizations ahead of time and ensure that you set the settings such that Administrators must authorize any OAuth access.
If you’ve already allowed users to approve their own third-party applications, go to https://security.microsoft.com and scroll down into Cloud Apps and select OAuth Apps. Ensure that only those applications that you know and trust are present and accepted in your domain.
Review the permissions and when they were last authorized. Also, consider whether you need to add additional policies to analyze risks related to these cloud applications and set up notifications accordingly.