In many cases, both in the virtual and real world, perceived security does not match actual security. Aligning these two aspects is, in fact, the main goal of security awareness.
The use of instant messaging (IM) services, such as Microsoft Teams™, presents risks that are often not intuitive and requires careful consideration of their security implications.
We often feel safe when sending a private message to someone else. However, in most cases, sharing particular information carries a varying degree of risk depending on the platform used and the type of data exchanged.
DFIR: Risks observed
During several DFIR (Digital Forensics & Incident Response) analyses conducted by our Incident Response Team, we observed that on Microsoft Teams™, it is relatively easy for an attacker to read messages stored on the system and potentially steal information quickly using malicious applications such as stealers.
This issue arises because message encryption, while strong during transmission, often does not protect data stored on disk.
It’s easy to see how this exposes organizations to risks of exfiltration of credentials, passwords, or sensitive information, which could quickly end up in databases sold on the dark web.
In practice, sending a password via Microsoft Teams™ carries a risk comparable to writing it in plain text in a document or spreadsheet, practices that should be strictly avoided.
Best Practices for protecting critical data
This example illustrates how even seemingly harmless use of Teams™ can lead to serious security issues. It’s important to remember that no instant messaging service can be considered inherently secure for transmitting critical information.
The best approach remains caution and common sense:
- For sensitive or critical data, use dedicated solutions that leverage modern, robust encryption algorithms.
- Ensure security both in transmission and storage of data.
It is no coincidence that the NIS2 directive requires encryption where necessary as part of an overall security strategy, recognizing it as the deepest and most internal layer of protection for an organization’s critical data.
Analysis by Paolo Leoni – Incident Response Specialist, CYBEROO
