Intro

BEC (Business Email Compromise) is used very often (and very successfully) to infiltrate organizations.  However, security solutions (SEG, SWG, EDR, etc.) and user education programs are continuously improving thus making it more difficult for attackers to pwn your environment using BEC. 

This got me thinking about new vectors that attackers can potentially leverage to gain access to a company.  One of the first things that came to mind were chat/collaboration tools like Microsoft Teams.  I really haven’t seen much written up on using these tools to get into an organization.  Hmmm…what if we can leverage them to get into an org?  We can bypass all those fancy email security solutions.  Maybe we can coin this type of attack as “Business Chat Compromise (BCC)”.  I brought up Google/Twitter to do a quick search of “BCC” and “Business Chat Compromise” to see if it had already been coined by someone else; I did not find anything on the interwebs regarding “BCC” or “Business Chat Compromise”.  It sounds catchy so we’ll stick with it.   

***WARNING***

Do not attempt to use any tactics or techniques described in this blog for illegal/nefarious purposes.  This blog and actions performed in this blog were a theoretical exercise for the author.  DO NOT perform any illegal/nefarious actions.  The author will use the Microsoft 365 Developer environment. Note that there is a “Terms and Conditions” page in the Microsoft Developer online documentation (https://docs.microsoft.com/en-us/office/developer-program/terms-and-conditions) that you must read and understand before utilizing any of the Microsoft 365 Developer components.***

Let’s try some things!

Of all the business chat/collaboration applications, Microsoft Teams seems to be one of the most popular so I decided to focus there.  If I were an attacker, what are some basic things I can try first?  Let’s lay out some steps…

1. Perform some OSINT on the “target company”.
2. Create a legit-sounding email account like “TargetCompany.HelpDesk@WhateverEmailProviderYouChoose[.]com”.  For my proof-of-concept, I chose Gmail.
3. Use this account to register with Microsoft Teams.
4. Initiate a conversation with an individual at the “target company”.

Ok, so I’m ready. 

1. I got a target in mind and found out their organization email format: “firstname.lastname@targetcompany[.]blah”.
2. I created a fake email address “Blah.HelpDesk@gmail[.]com”.
3. I downloaded Microsoft Teams and registered my new “Blah.HelpDesk@gmail[.]com” account with it.
4. Time to initiate the conversation with my target using Microsoft Teams!  Ok, so when I try to initiate a conversation with the target user at the “target company” through Microsoft Teams, the target user receives this message:

That’s not really the outcome I want – the warning message displayed in Teams for the targeted user is pretty loud and direct.  It says “Messages from unknown or unexpected people could be spam or phishing attempts”.  If I want to have something like this work, I need to be a little more discrete.  Sure I can keep bothering the targeted user (or move onto someone else) until they finally