Microsoft Teams: Slash commands for apps

🚨 The Signal: Teams now supports slash commands for apps, enabling direct interaction with applications and agents from the chat compose box. This expands the attack surface for malicious app interactions and data exfiltration.

The Impact

All Teams users are affected, increasing the risk of unauthorized data access and malicious app execution.

• End Users: Increased risk of inadvertently executing malicious app commands or sharing sensitive data.
• Security Teams: New vectors for data exfiltration and unauthorized access require updated monitoring.
• Admins: Need to review and potentially restrict app permissions and availability within Teams.
• Compliance Teams: Must reassess data handling and access controls for app interactions.

The Action

1. Review and update Microsoft Teams app governance policies to restrict unapproved applications.
2. Audit existing Teams apps and their permissions for least privilege access.
3. Implement or reinforce Data Loss Prevention (DLP) policies for Teams to prevent sensitive data exfiltration via apps.
4. Educate users on safe app interaction practices and the risks of unauthorized slash commands.
5. Monitor Teams audit logs for unusual app activity or command execution.

Domain: Teams · Impact: high · Workload: Teams · Essential Eight: Application Control · ISM: ISM-0843, ISM-1490, ISM-1544, ISM-1582, ISM-1656, ISM-1657, ISM-1658, ISM-1659, ISM-1660, ISM-1870, ISM-1871