During Black Hat USA 2023 in Las Vegas, many new cyber threats are being revealed to the outside world. One of them involves a vulnerability in Microsoft 365 guest accounts, which turn out to be less secure that the tech giant will have thought. Armed with only a trial version of Power Apps and a guest account, a malicious party can steal internal data.
Organizations can use guest accounts within Microsoft 365 to temporarily grant limited access to a 365 tenancy. The reason for deploying this can vary, but is useful, for example, to share sensitive files. It’s not meant to do much more, but low-code security specialist Michael Bargury describes that quite a few things can go wrong.
Bargury charts during his presentation that it may be too easy to obtain a guest account. Indeed, any user can query invitations that are still open, which can be linked to a remote account without any verification. Admins additionally cannot figure out exactly which account is linked to the invitation.
Data theft possible
Normally, Power Apps is closed to guest accounts, but not its trial version. With that, it is already possible to switch to the Power Apps directory of the visited organization. From there, attackers can set up applications within the tenant and even steal data.
The underlying problem, however, is primarily access management, Bargury believes. Many organizations do not follow best practices in this regard. In contrast, widespread adoption of zero-trust and least-privilege is actually about unrestricted access to applications within one’s secure environment. The issue, therefore, is whether guest accounts can access Power Apps within one’s own infrastructure.
Microsoft, meanwhile, is said to be working on patches to counter the vulnerability. Evidently, it has more work to do: another cyber threat to the Redmond-based company was already revealed earlier around OneDrive.