How to use Trellix DLP Endpoint to prevent the Microsoft Teams security token mining issue
Last Modified: 2023-04-11 08:38:33 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
How to use Trellix DLP Endpoint to prevent the Microsoft Teams security token mining issue
Technical Articles ID:
KB96443
Last Modified: 2023-04-11 08:38:33 Etc/GMT Environment
Data Loss Prevention (DLP) Endpoint 11.x Microsoft Teams Windows Operating Systems Summary
It was identified that a post-exploitation opportunity could allow malicious actors with sufficient local or remote file system access to steal valid user credentials from Microsoft Teams due to their plaintext storage on disk. With these tokens, attackers can assume the token holder's identity for any actions possible through the Microsoft Teams client, including using that token for accessing Microsoft Graph API functions from an attacker's system. Additionally, these tokens are equally valid with MFA-enabled accounts, creating an allowance to bypass MFA checks during ongoing usage. When these tokens are stolen, it enables attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files. Attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks. For more details, please see this blog. Solution
To prevent attackers or untrusted processes from accessing these token files, create an Application File Access Protection Rule in DLP Endpoint, which has integration with Threat Intelligence Exchange (TIE). NOTE: As a pre-requisite to use DLP + TIE, the TIE server must be provisioned in your environment and registered with ePolicy Orchestrator (ePO). Perform the following steps to create the 'Application File Access Protection Rule' in DLP:
Affected ProductsLanguages:This article is available in the following languages: |
|