Microsoft Teams, as part of Microsoft 365 and Office 365 services, follows all security best practices and procedures, such as service-level security through security in depth, in-service user controls, security hardening, and operational best practices. Despite this, a number of vulnerabilities in using Teams also remain.

In this blog, we'll cover what MS Teams is, the benefits and risks, several ways to use it, and (most importantly) how to use the app safely.

What is Microsoft Teams?

It was difficult to understand what MS Teams is and how the service can be used. Some believe that it is just a tool for correspondence, others believe that it is a more advanced version of Skype for Business. Microsoft Teams, meanwhile, is much more powerful.

Microsoft Teams is essentially a competitor to Slack. Teams combines always-on workplace chat, video meetings, file storage and collaboration, and application integration. It has a range of features and integrations that allow remote teams (or even local teams) to work closely and collaborate more easily.

MS Teams is available for most Office 365 licenses, making it widely used in enterprise settings.

MS Teams is not a data warehouse. Teams is a front-end interface that sits on top of the Office 365 infrastructure and data stores and helps users easily communicate, access, and share data. When a new team is created, a new security group with group members is created in Azure AD. A new hidden mailbox is created in Exchange Online, a new site is created in SharePoint Online, and files shared through private chats are uploaded to OneDrive.

All this happens automatically, without the user's knowledge.

Cloud Security

Before cloud computing, you relied on your company's firewall as a secure perimeter. You've run your application servers, file servers, Exchange Server, SharePoint Server, and possibly Skype for Business Server behind a firewall in your data center. Your goal was to keep the good things and the bad things out, and a key pillar of security was the firewall configuration.

What work did your users do inside the firewall? Two main types:

• communication by phone, message, private chat, group chat and email
• working with files  such as documents, spreadsheets, presentations and images

For most of us, this amounts to about 95% of work per day.

With the advent of cloud services such as Microsoft Office 365, users can communicate and work with files outside of the data center. Instead of running their own servers and firewall, companies subscribe to cloud services for products such as OneDrive, Exchange, SharePoint, Office 365 and Skype for Business. In this scenario, there is no firewall and we must focus on protecting people, not the perimeter. This starts with protecting the most important aspect of that user - their credentials. Strong passwords and multi-factor authentication are now basic minimum requirements. From here we can use cloud-based security services that ensure that users only connect from certain known locations and on approved devices. This is better security than a firewall and a simple username and password.

But Microsoft Teams security goes much further.

Is Microsoft Teams generally safe?

Teams is designed around  four main functions:

1. Communication
2. Meeting
3. Call
4. Cooperation

All four of these functions are consistent with the communication with colleagues mentioned above. The fourth, collaboration, coincides with working on files. In other words, Teams unifies communication and file sharing, and the core of Microsoft Teams security is to ensure that communication and file sharing only occurs between known authorized users who should have access to the data.

So, is Microsoft Teams safe?

The short answer is: “Yes, it is safe.”

Microsoft Teams is designed to provide security, but just like the doors and windows in your home, you need to use locks in a way that strikes the best balance between security and ease of use.

For an administrator, the simplest but most important lock on the front door is the basic identification of the user account. One of the benefits of all Microsoft 365 apps, including Teams, is that the user's identity is in  Azure AD. Recent improvements to Azure AD's identity security capabilities are a big step forward in providing security for all applications that use it. Features such as customizable MFA account options, account lockout options, and support for single sign-on across apps are core capabilities that have become very effective pillars of identity security. Premium Azure AD management features, such as Identity Protection, use AD account activity signals to identify, detect, and investigate advanced threats across all Microsoft cloud apps, including Teams.

More advanced Azure AD Privileged Identity Management features such as  conditional access,can also use these signals to strengthen privileged identities.

How Teams deals with common security threats

This section describes the most common security threats to the Teams service and how Microsoft addresses each threat.

Attack with a compromised key

Teams uses the PKI features in the Windows Server operating system to protect the key data used to encrypt TLS connections. The keys used to encrypt media are sent over TLS connections.

Network denial of service attack

A distributed denial of service (DDOS) attack occurs when an attacker interferes with the normal use and functioning of a network by valid users. Using a denial of service attack, an attacker can:

• Send incorrect data to applications and services running on the attacked network in order to disrupt their normal operation.
• Send large amounts of traffic, overloading the system until it becomes unresponsive or slow to respond to legitimate requests.
• Hide evidence of attack.
• Deny users access to network resources.

Teams mitigates these attacks by running Azure network DDOS protection and throttling client requests from the same endpoints, subnets, and federated entities.

Eavesdropping

Eavesdropping occurs when an attacker gains access to a data path on a network and has the ability to monitor and read the traffic. Eavesdropping is also called sniffing or snooping. If the traffic is plain text, an attacker can read the traffic when the attacker gains access to the path. An example would be an attack carried out by manipulating a router along the data path.

Teams uses mutual TLS (MTLS) and server-to-server (S2S) OAuth (among other protocols) to communicate between servers in Microsoft 365 and Office 365, and also uses TLS from clients to the service. All traffic on the network is encrypted.

These communication methods make eavesdropping difficult or impossible during the time period of a single conversation. TLS authenticates all parties and encrypts all traffic. Although TLS does not prevent eavesdropping, an attacker cannot read the traffic unless the encryption is broken.

Protocol Traversal Using Relays around NAT (TURN) is used for real-time multimedia. The TURN protocol does not require traffic encryption, and the information it sends is protected by message integrity. Although it is open to interception, the information it sends, i.e. IP addresses and port, can be extracted directly by looking at the source and destination addresses of the packets. The Teams service ensures that the data is valid by verifying the integrity of the message using a key derived from several elements, including the TURN password, which is never sent in clear text. SRTP is used for media traffic and is also encrypted.

Identity spoofing (IP address spoofing)

Spoofing occurs when an attacker identifies and then uses the IP address of a network, computer, or network component without authority to do so. A successful attack allows the attacker to act as if the attacker were an entity, usually identified by an IP address.

TLS authenticates all parties and encrypts all traffic. Using TLS prevents an attacker from performing IP spoofing for a specific connection (such as mutual TLS connections). It is still possible for an attacker to spoof a Domain Name System (DNS) server address. However, since authentication in Teams is done using certificates, an attacker will not have the reliable information needed to spoof one of the parties in the communication.

Man in the middle attack

A man-in-the-middle attack occurs when an attacker redirects communications between two users through the attacker's computer without the knowledge of the two interacting users. An attacker can monitor and read traffic before sending it to the intended recipient. Each user in communication unknowingly sends traffic and receives traffic from the attacker, while thinking that he is communicating only with the intended user. This scenario can occur if an attacker can modify Active Directory Domain Services to add their server as a trusted server, or change the DNS configuration, or use other means to force clients to connect through the attacker on their way to the server.

Man-in-the-middle attacks on multimedia traffic between two endpoints sharing audio, video, and Teams apps are prevented by secure real-time transport protocol (SRTP) to encrypt the media stream. Cryptographic keys are negotiated between two endpoints over a proprietary signaling protocol (Teams Call Signaling protocol) that uses TLS 1.2 and an AES-256 (in GCM mode) encrypted UDP or TCP channel.

Real-time transport protocol (RTP) replay attack

A replay attack occurs when a live media transmission between two parties is intercepted and retransmitted for malicious purposes. Teams uses SRTP with a secure signaling protocol that protects transmissions from replay attacks by allowing the recipient to maintain an index of RTP packets already received and compare each new packet with packets already listed in the index.

Spam

Spam is unsolicited commercial instant messages or requests for presence subscriptions, like spam, but in the form of instant messages. While this in itself is not a network compromise, it is at a minimum annoying, can reduce resource availability and performance, and possibly lead to network compromise. For example, users spam each other when sending requests. Users can block each other to prevent spam, but with federation, if an attacker sets up a coordinated spam attack, it can be difficult to overcome unless you disable the federation from the partner.

Viruses and worms

A virus is a unit of code whose purpose is to reproduce more similar units of code. A virus needs a host, such as a file, email, or program, to operate. Like a virus, a worm is a unit of code that reproduces more similar units of code, but unlike a virus, it does not require a host. Viruses and worms mainly manifest themselves during file transfers between clients or when sending URLs from other users. If there is a virus on your computer, it could, for example, use your identity and send instant messages on your behalf. Standard customer security best practices, such as periodic virus scanning, can solve this problem.

General questions about Microsoft Teams security

Is Teams secure from a network perspective?

From a networking perspective, the Teams cloud service has built-in protection against  common security risks for the Teams service , including network denial-of-service attacks, eavesdropping, spoofing and man-in-the-middle attacks.

Microsoft Teams security relies on  Transport Layer Security (TLS) and Mutual TLS (MTLS) protocols  to ensure all communications are encrypted. Teams data, including messages, files, meetings, and other content, is encrypted in transit and at rest in Microsoft data centers.

MTLS  encrypts  traffic between servers. TLS is used for client-server communications (such as instant messaging) and signaling. Media streams, such as shared audio and video, are encrypted with Secure Real Time Transport Protocol (SRTP)/TLS.

Where are the most overlooked Microsoft Teams vulnerabilities?

As we saw with email, in many cases the end user is the most vulnerable link in the security chain. Email phishing attacks are growing rapidly and becoming very sophisticated. Although the number of phishing attacks in Microsoft Teams is much lower, there have been breaches involving malicious links being posted in Teams messages (private chats and channel messages). Likewise, there is a possibility that malicious files will be downloaded and made their way into your Teams deployment and then onto end user devices.

Just as Teams leverages other Microsoft 365 workloads to provide a fantastic experience, other management tools in the Microsoft 365 Security and Compliance ecosystem can be used to further protect the Teams app itself.

Microsoft Advanced Threat Protection  (now called Microsoft Defender for Office 365) provides Safe Attachment and Safe Links capabilities to help protect against malicious files and malware. ATP's Basic Service Plan (Plan 1) provides this capability and can be purchased as an add-on or included with a full E5 license. There are also third-party management vendors that provide varying levels of protection against phishing and malware.

Why is monitoring important?

The value of monitoring is that it helps you understand what's changing in your environment and can automatically alert you to anomalies.

Tools and technologies like Microsoft Teams are easy to deploy for you and your colleagues to use, but your work doesn't end there. When you create a baseline and track activity, you see changes in who has access to what, who adds and deletes data, and how that data is used. In the event of a security incident, monitoring with history makes it easier for you to trace back in time.

Does Microsoft Teams security extend to endpoint security?

As we've said, Teams provides security as part of the larger Microsoft 365 and Azure suites. He also offers  Enterprise Mobility + Security (EMS) - another group of security features such as Azure AD, Intune, multi-factor authentication and  Endpoint Configuration Manager .

By using  Intune , included with EMS, you can ensure that users can only access your Office 365 resources from devices that meet the eligibility criteria you specify. For example, you can exclude devices that are jailbroken or lack antivirus protection.

Teams also  Complies with Azure Active Directory Conditional Access policies . For example, you can set policies to limit the use of Teams apps to devices that are Intune-compatible or joined to your domain.

Summary

With a growing proportion of people working remotely and Microsoft Teams deployed and used by millions of users, it is important to understand all areas of Microsoft Teams security and configure them to meet your security and management needs. for your organization.

This article has been an introductory article and provides an overview of the key areas needed to secure Microsoft Teams. Teams can be further protected using advanced Azure AD identity features and Microsoft (or third-party) edge solutions such as endpoint protection. These areas require separate expertise to configure accordingly.

Microsoft Teams has become critical to business continuity. Do your best to secure Teams and maximize user collaboration to ensure continuity.

If you still have questions and want to implement the Microoft infrastructure and buy licenses in Kazakhstan, just contact us. At Fanetech, we help businesses maintain their technological edge and leverage the power of Microsoft services across everything 100%.