Security experts say Microsoft downplayed the severity of a Teams hack

One non-interactive message could expose an entire organization's Teams data.

SOPA Images/LightRocket/Getty Images

Microsoft is under scrutiny in the cybersecurity community for potentially trivializing the nature and risk of a recent hacking incident. In a GitHub post, security researcher Oskars Vegaris demonstrated, with accompanying screengrabs, how hackers exploited a vulnerability within Microsoft Teams to remotely inject the platform with a privacy-breaching bug.

GitHub / Oskars Vegaris

Vegaris explained that the issue was brought to Microsoft's attention in August this year, which was then given a rating of "Important, Spoofing" by the company on September 30. By October, the issue had been resolved, according to Microsoft. The firm claimed that it did not make users aware of the vulnerability on grounds that these security patches for Teams are automatically installed. Potentially understating the severity of the remote code execution (RCE) bug is troublesome, Vegaris warned.

Security experts are frustrated with Microsoft's approach because Teams is used by numerous organizations, companies, and individuals, from students and small businesses, to major corporations. A bug of this magnitude could adversely affect them all, and any other entity that uses Teams.

The background — Microsoft categorized the issue as "Important, Spoofing" but Vegaris wrote on GitHub that the classification downplayed the urgency of the problem as this particular tag is "one of the lowest in-scope ratings possible." It could easily mislead users into thinking that the bug posed no danger to user privacy or data integrity.

The remote activation of this vulnerability meant that it posed a much higher threat. RCE works without any user interaction, which means it can slide under the radar without any trouble. It can permeate the Teams platform by simply having a user view an innocuous message. By running internally within Teams, the bug can expose private messages, security keys, and other sensitive information. Additionally, it can lead to phishing attacks.

Especially worrying is the fact the bug appeared as a normal message, and it was executed the moment a user opened the message. "That's it," Vegaris wrote. "There is no further interaction from the victim. Now your company's internal network, personal documents, [Office 365] documents, mail, notes, [and] secret chats are fully compromised. Think about it. One message, one channel, no interaction. Everyone gets exploited."

The hack is only the latest headache for Microsoft. A little over a week ago, the addition of "Workplace Analytics" — diplomatic phrasing for effectively surveilling workers' virtual movement, activity, and "productivity scores" — to Office 365 elicited mass criticism and condemnation. Downplaying a bug like this only worsens Microsoft and Teams' public image.

"At least now we have a new joke between colleagues," Vegaris wrote. "Whenever we get a remote code execution bug, we call it 'Important, Spoofing.' Thanks, Microsoft."