Teams guest invitation emails pose serious (information leakage) risks

New Contributor

Teams guest/external user invitation emails pose serious (information leakage) risks, without sharing minimal unique identification details for an inviting party.

 

When you invite, or get invited as guest/external user, an (teams service) email invitation is sent out. Because this message contains no unique identifiable details on the inviting party, an invitee has no clue who/where an invite comes from and as such if an invite comes from a known/trusted party/person.

 

The message header contains a full name (John Do), while the message body only contains a first name (John). The message is received from ‘Microsoft Teams noreply @ email.teams.microsoft.com ’, which of course is a trusted service…, but no clue who/which John Do is asking. Without any unique identifiable information, no one should ever select the ‘Join Teams’ link. From a security/phishing perspective this message shouldn’t even arrive in a user’s mailbox.

 

Other (social) platforms share at least (a) unique additional detail(s) for the requestor, for better or worse on which you could base an decision to accept or deny. From an organizational perspective you might even consider which (personal) identification details to share, while (receiving) inviting a guest, and/or even what minimal information is required before allowing a message to arrive in a mailbox

Once you have guest member(s) for a team, you should be able to (re)identify, each user and guest uniquely, meaning that minimal identification details should included in the ‘member’ cart, instead of John Do (External), and/or multiple John Do’s etc..

 

Specifically in a world where users have/bear multiple identities, as well as multiple users share first/last/full names, like John Do, you should be able to easily and at all times identify members uniquely.

 

Scenario’s:

  1. Contoso Organization John Do

John Do from the Contoso organization invites johndo @ hotmail.com and johndo @ outlook,.com  to become Teams (guest) member. Each (Microsoft account) John Do receives an invitation with subject ‘You have been added as a guest to Contoso in Microsoft Teams’ and from ‘Microsoft Teams noreply @ email.teams.microsoft.com .’ In the body John (only shared details is first name) could be John working at Contoso. Ok, so this is a trusted company, but no clue what I could share with whoever is John. Of course this can be validated once accepted, but should I…

 

Now John Do at Contoso needs to start an external chat with johdo @ live.com . Another John with a Microsoft account. While typing in the To: line ‘johndo @ live.com’, an action shows “Search johndo @ live.com externally’. You are required to select the action, with a result to select from 2 johndo @ live.com  (External). One with an “Skype” icon as well as ‘johndo’ the other without anything additional.

 

Selecting one of these John Do’s allows for sending a chat message. In the background the (Skype) John Do ends up no where … (could be something related to my config/testing). Selecting the other (blank) John Do, is received in Teams (personal) chat. Though here the inviting user is identified as Unknow User and hovering over shows ‘Unknow User is using Teams with an account managed by an organization. Some features… ‘). Also this could be related to my configuration???. Block or Accept? Guess what, you can’t accept.

 

Optionally you can select “Preview Message”. This shows the initial chat (message), as well that it comes from John Do. Probably the 'Unknown User' from 'an organization'.

 

  1. Microsoft account John Do

Using Teams (personal) on Windows 11, (Microsoft account) John Do is initiating a chat with johndo @ contoso.com . Contoso John will receive an email from ‘Microsoft Teams noreply @ email.teams.microsoft.com ’ with subject ‘John Do invited you to Microsoft Teams’ and in the messagebody that John (first name only) invited you with a link 'Join Teams'. The link contains probably a unique reference, , obfuscated for this scenario, and looks like https://teams.live.com/l/invite/XXXXXXXXXXXX_f6AwI?v=e1 . Again not something you can't/shouldn't accept.

 

From a conversation point of view

Even if you would except all these requests, it then becomes hard or even impossible to clearly identify/differentiate among each John Do, beacuse they all rollup as John Do in the conversations.

Even withing an organization multiple John Do’s easily exist. Hovering over (members) makes them identifiable, but it would be great to optionally change their ‘display name’ or anything else to uniquely. For external John Do’s they seem all endup as John Do (External).

3 Replies

@ITSChange I wouldn't consider anything else written in an email as verifiable information and would certainly train users not to accept invites they aren't expecting. I think your proposal would actually be worse by making the invite seem more credible even though it's not.

 

My org has used fake teams invites as part of our anti-phish training to make sure we are all used to not clicking on things we are not expecting.

 

 

Hi @Steven Collier, I completely agree as you might see in my message. Though this is a default way of working in Teams and Teams 'personal' and even in a case where you might expect an invitation, it's gives you now clue if this is the right person. In 'personal' (Windows 11) chats, it can even offer an phishing approach.

 

Additionally, with one or more externals, it's hard to identify where they come from/ who is who. Hovering over a (external Microsoft accounts) only shows a name and "External".

@ITSChange I don't see how you would solve that. Adding the full name or email to the invite would only ever achieve a false sense of safety. The best solution would be if the invite was sent from the remote users mailbox, but that would also have other issues and I'm sure other competitors aren't able to do that.