Purple Team

Gone Tishing: Abusing Microsoft Teams Security Misconfigurations for Webhook Hijacking and other Shenanigans

Misconfigurations are common vulnerabilities in business communication platforms that can be leveraged to build more complex security awareness trainings going beyond the classic phishing email. These concerns tend to arise from third-party components integrated within the client that provide additional communication functionalities often utilized by software teams during development. Web hooks are a specific example here that are frequently used in corporate environments to web together these third-party applications for system updates and other development notifications and are often insecure due to the client's default configurations. This talk explores how to find and abuse misconfigurations within the Microsoft Teams business communication platform for webhook hijacking and other shenanigans to test both best security practices and general employee awareness at your organization. It provides a real-world scenario of how these hooks can be stolen to conduct complex social engineering attacks to compromise corporate credentials and expose other valuable business information. It offers solutions for detection and prevention for these elevated attacks that relate to all departments outside of your security team. At the end of this discussion, you will walk away with better awareness of the vulnerabilities existing in these popular communication clients, and how they can be discovered, remediated, then prevented. You may even find a new direction to your company's next annual phishing test!

Jessa Gegax

Jessa Gegax

Jessa Gegax is an Information Security Testing Analyst at Surescripts LLC in Minneapolis, MN. Jessa holds an undergraduate degree in Computer Science and minor in Environment and Natural Resources with research interests in offensive cloud security, IoT devices, and web application/API penetration testing. In their free time, Jessa likes to go backpacking, practice yoga, and spend time with their dog (in no particular order).

Purple Team

Heading

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Gone Tishing: Abusing Microsoft Teams Security Misconfigurations for Webhook Hijacking and other Shenanigans

Misconfigurations are common vulnerabilities in business communication platforms that can be leveraged to build more complex security awareness trainings going beyond the classic phishing email. These concerns tend to arise from third-party components integrated within the client that provide additional communication functionalities often utilized by software teams during development. Web hooks are a specific example here that are frequently used in corporate environments to web together these third-party applications for system updates and other development notifications and are often insecure due to the client's default configurations. This talk explores how to find and abuse misconfigurations within the Microsoft Teams business communication platform for webhook hijacking and other shenanigans to test both best security practices and general employee awareness at your organization. It provides a real-world scenario of how these hooks can be stolen to conduct complex social engineering attacks to compromise corporate credentials and expose other valuable business information. It offers solutions for detection and prevention for these elevated attacks that relate to all departments outside of your security team. At the end of this discussion, you will walk away with better awareness of the vulnerabilities existing in these popular communication clients, and how they can be discovered, remediated, then prevented. You may even find a new direction to your company's next annual phishing test!

You'll wish you went sooner!

We proudly present SecretCon, an entirely unparalleled conference for the state of Minnesota, built for our new digital reality. This conference is dedicated to the many specialties of our hacker, cybersecurity, and privacy community. We have taken it upon ourselves to construct a conference that not only embraces our past, but also looks to the future. Join us!