Microsoft Teams Notification Spam Exposes Phishing Risk

Reports from around the world today saw Microsoft Teams users receiving unexpected notifications on their devices – prompting some concerns around potential phishing.

While users shared their experiences on Reddit, early analysis indicates this may be linked to a recently published vulnerability in Google’s Firebase Cloud Messaging (FCM) platform.

Discovered by security researcher Abhishek Dharani, the vulnerability allows the FCM keys stored in APK files to be exploited in order to broadcast messages to anyone using a Firebase-based application.

Today’ seemingly innocuous messages simply read “Test notification!”, but according to Abss, the vulnerability could pose a much more real phishing or malware threat if abused by malicious attackers.

He told CyberNews: “Beware that the content of the notification can be controlled by the attacker. It can also contain images (yes, including graphic and disturbing images), so beware of the content and don’t follow any links.”

At the time of writing it’s not clear if these messages were written by the Google/Microsoft teams or if it was a third-party curious researcher or hacker.

Earlier in the week, Google Hangouts users saw a number of similar "FCM Messages" test notifications sent in a similar incident.

According to the Firebase blog, there are more 2 million apps actively using Firebase every month. Abhishek told CyberNews that there are many app developers with Firebase projects whose apps may still be affected, with easily 15% of existing apps potentially vulnerable.

A worrying question for many could be which service will be hit next?

Phish where the fish are

This incident should serve as a warning to any organization deploying new messaging platforms. Cloud-based services like Microsoft Teams and Slack are growing faster than ever as organizations pivot to more long-term flexible working arrangements.

If a malicious link has been included in these messages, it would have been down to endpoint security tools and users alone to prevent an attack causing harm. Phishing or other social engineering attacks could follow a similar attack channel. However, I like to believe that regular and effective phishing awareness training could help arm employees with enough caution to be suspicious of even novel threats like this.

July’s high-profile Twitter bitcoin heist highlighted what attackers can do when give the opportunity to mass-target unsuspecting users of consumer services. In this instance, many may think themselves lucky that there was no malicious payload, social engineering or theft.

This is not the first time Firebase has been in the news for the wrong reasons. A lawsuit was filed in July accusing Google of violating federal wiretap law and California privacy law. It is alleged that the data collection happens through Google’s Firebase, despite users following Google's instructions to turn off the web and app activity collected by the company.

Microsoft provided a response to customers on Twitter later in the day. It read: “We've isolated the source of the issue and applied a mitigation. We've confirmed that no further unexpected notifications are being sent to users' Android devices. Additional details can be found in the admin center under TM221041.”