MAAD-AF External Teams Access

This module allows attackers to add an internal user or even an external adversary-controlled email to a team in MS Teams, enabling continuous access to information in Teams and Teams-connected resources, such as team-specific Sharepoint sites. The module has two sub-modules. Using the second sub-module, given the account in use has required privileges, the attacker can create a new team within MS Teams.

Module Overview - DRAFT

NOTE TO ENABLEMENT TEAM: We may need to find a more sustainable example to use for lab users and adjust the verbiage below accordingly.

1. From the main Attack Arsenal menu, enter 9 for Enable External Access to Teams Data for Continuous Access. Read through the MITRE information, and  press ` to continue.

2. Use the sub-module 1: Get added to an existing team, and enter Yes to perform recon for available teams to join.

   

3. Select a team to join from the list. Enter the Display Name of the team.

4. Enter an email address to send the teams invitation to.

   For this exercise, use your vectra.ai email.

5. This particular action may take a few minutes to complete as account permissions need to replicate. Enter the number of minutes MAAD-AF should wait for this action to complete.

   General guidance is that 5 is a good starting point in most cases.

   

6. After the user has been successfully added, a message will appear indicating success.

   

7. MAAD-AF will prompt the user to undo the actions just created. Select No for the purposes of this exercise.

Validation

Enter the exact wait message displayed by MAAD-AF when waiting for the changes to take effect.