Microsoft Teams user enumeration
The pandemic has increased the use of collaborative tools. Microsoft Teams is no exception: the number of daily active users increased 4 fold between March and October 2020 to reach 115 million users. Of course, increase in usage of any technology as security implications. In this post, we will show that Microsoft Teams may be vulnerable to user enumeration, depending on the configuration.
What is user enumeration?
User enumeration is a security weakness that allows an attacker to determine whether a specific username is valid. The most common form of user enumeration manifests within the authentication or user-management process. If the server returns a different response when the user is valid and when it is not, a malicious actor can use brute-force to establish a list of valid users in the system.
At the time of writing, several Microsoft products and services are vulnerable to user enumeration. The reader will find below a few existing tools allowing to enumerate the user on those platforms:
- Outlook Web Access: msmailprobe
- Exchange: msmailprobe
- Onedrive: onedrive_user_enum
- Skype / Lync: lyncsmash
- O365: Carnivore and Go365
Vulnerabilities of the above products are covered in detail on the Internet, we will concentrate on Microsoft Teams.
Why is it important?
Since these products are often exposed on Internet and use the internal Active Directory for authentication, an attacker could target them to enumerate internal users. Of course, this would require a list of potential users but using a social network like LinkedIn or documents metadata (PDF, word document, …) will provide enough material in most cases. Obtaining a list of users is an essential part of the reconnaissance phase of an intrusion test or a real attack. This allows more advanced attacks targetting a specific user. For example, an attacker could:
- Try to do a smart bruteforce with common passwords;
- If a lockout policy is configured, an attacker could make a denial of service by submitting wrong passwords on numerous accounts;
- Target specific users for phishing campaigns.
Once a valid credential is found, the ill-intentioned user may gain access to sensitive information.
Without user enumeration, those attacks are significantly more difficult as the attacker has to guess both username and password.
What about Teams?
As for the products discussed above, user enumeration is also possible on Microsoft Teams, the online collaboration software of Microsoft.
Teams exposes a feature allowing to look for external users. It can be abused to enumerate internal users of the organization.
Knowing the request which is sent by Teams will help us to understand what information is returned and automate the request. As Teams uses the system proxy, we simply need to set up Burp as proxy in order to inspect all the request made to Microsoft API. When searching for an external user the request presented in Figure 2 is sent to the Teams API.
We notice three different behaviors:
- The user doesn’t exist (even in the case of the “External access” is disabled) or the user has not office 365 license enable: the response is empty with the status code 200
- If the setting “External access”(see the Remediation part) is disabled (not default) and the user exists: the response is empty with the status code 403
- The user exists: the response contains json data
In case of the user exists, the display name field can bring more information on the target. For example, if the email address of the user John Doe is firstname.lastname@example.org the display name can reveal the first name.
When the settings “External access” (detailed on the Remediation part) are enabled, we could use the user ID (mri) retrieve with the previous request (Figure 2 and Figure 3) to know the status of the target user as well as the device used to connect (mobile, desktop, web). This information is useful when drawing up a phishing/red team scenario. It could be for example, calling a helpdesk service of the targeted company to ask for a password reset of an employee who is out of the office.
Below the request to Teams API to get the user’s presence with the device used.
The response below shows the user is connected through the web interface.
To summarize, these API endpoints allow checking If an email address exists on Teams and getting the display name and according to the configuration you can also get the presence and the device type used to connect.
The best way to protect against this is to configure the External Access in the Microsoft Teams admin center.
As presented above, two options are allowed by default. These two options allow users from different organizations to found each other through the search feature and communicate with Teams or Skype.
If you have no use case to contact or be contacted by someone outside of your organization you should disable the two options above. Otherwise, you should disable these options and whitelist the domain you communicate with.
immunIT has developed a tool (https://github.com/immunIT/TeamsUserEnum) to quickly enumerate valid users from a list.
Usage: UserEnumTeams userenum [flags] Flags: -e, --email string Email address -h, --help help for userenum -t, --token string Bearer token (cookie authtoken) -u, --user string File containing the email address Global Flags: -v, --verbose Verbose
The token can be retrieved in the cookie authtoken of the domain https://teams.microsoft.com/.
Enumerate the list emails.txt to get the valid one.
.\UserEnumTeams userenum -u emails.txt -t “eyJ0eXAiOiJKV1QiLCJub25jZSI6IlpNc3FVTnJDeUJaYTBJZ3RXSmFsNUZWVjRU……vKiXYtCir3GJ9rMPAhPXiXSzSMeOPiSaM7SDoCg”
Get json response of Teams API for one email.
.\UserEnumTeams userenum -u email@example.com -t “eyJ0eXAiOiJKV1QiLCJub25jZSI6IlpNc3FVTnJDeUJaYTBJZ3RXSmFsNUZWVjRU……vKiXYtCir3GJ9rMPAhPXiXSzSMeOPiSaM7SDoCg” -v