Security researchers at Vectra uncovered a significant security vulnerability within Microsoft Teams’ guest chat feature. The flaw permitted unauthorized access to internal company chats, user information, and shared files by leveraging expired guest user accounts. The discovery highlighted a cross-tenant security blind spot in the popular collaboration platform.

The investigation by Vectra revealed that even after a guest user’s access was supposedly terminated, their user account remained active and accessible within the inviting organization’s Azure Active Directory (Azure AD). An attacker in possession of a valid, albeit expired, guest account token could use it to maintain access to any Teams chats they were previously a part of.

Details of the Security Vulnerability

The vulnerability’s mechanism was rooted in the persistence of guest user accounts and their associated permissions within Teams. When a guest user was invited to a chat, an account for them was created in the host organization’s Azure AD. Vectra found that the access token for this guest user did not properly expire or become invalidated when the guest’s access privileges were removed. This allowed continued access to the chat’s entire history, any files shared within it, and the contact information of all participants. The user’s status appeared as ‘offline’ but they retained full access to the chat data.

Disclosure and Vendor Response

Vectra discovered the issue in late 2021 and reported its findings to the Microsoft Security Response Center (MSRC) on October 29, 2021. After an investigation, Microsoft closed the case, stating that the reported issue did not meet the criteria for an immediate security fix. Microsoft’s response placed the responsibility on customers for managing their guest accounts. Following this disclosure, Vectra recommended that organizations periodically audit guest accounts within their Azure AD and remove any that are no longer necessary to mitigate the risk.