Messaging Apps Protection - Microsoft Teams

Overview

Microsoft Teams is a communication platform developed by Microsoft as part of the Microsoft 365 family of products. It offers employees and external collaborators to chat, meet online, and share files. Avanan adds security, privacy, and compliance to Microsoft Teams by scanning messages and files shared on a chat or a team for malicious content and data loss prevention (DLP) and generates actionable events on malicious content.

Avanan scans the messages and files shared through direct messaging or a team.

How it works

Avanan adds a layer of security that provides these security features for Microsoft Teams:

  • Data Leak Prevention (DLP): Protecting sensitive text messages and files
  • Anti-Malware: Scanning of files for malicious content
  • URL Reputation: Blocking malicious links within files and messages
  • User Behavior Anomaly: Identifying suspicious login and compromised accounts
  • Remediation: Tombstoning malicious files or sensitive files and messages

Required Permissions

Avanan requires these permissions to protect Microsoft Teams.

Note- All these permissions are required to access your data in the Avanan portal tenant.

Permissions required from Microsoft

Functions performed by Avanan

Send channel messages

Allows an app to send channel messages in Microsoft Teams on behalf of the signed-in user.

Sign in and read user profile

Allows users to sign in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

Read domains

Allows the app to read all domain properties without a signed-in user.

Read and write tabs in Microsoft Teams

Read and write tabs in any team in Microsoft Teams without a signed-in user. This does not give access to the content inside the tabs.

Read tabs in Microsoft Teams

Read the names and settings of tabs inside any team in Microsoft Teams without a signed-in user. This does not give access to the content inside the tabs.

Read and write all group memberships

Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated, and groups cannot be deleted.

Read all group messages

Allows the app to read memberships and basic group properties for all groups without a signed-in user.

Manage all users' Teams apps

Allows the app to read, install, upgrade, and uninstall Teams apps for any user without a signed-in user. It does not give the ability to read or write application-specific settings.

Read all users' installed Teams app

Allows the app to read the Teams apps that are installed for any user without a signed-in user. It does not give the ability to read application-specific settings.

Read all users' teamwork activity feed

Allows the app to read all users' teamwork activity feed without a signed-in user.

Read directory data

Allows the app to read data in your organization's directory, such as users, groups, and apps, without a signed-in user.

Read and write all groups

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.

Read all groups

Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.

Flag channel messages for violating policy

Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing.

Read all channel messages

Allows the app to read all channel messages in Microsoft Teams.

Read all chat messages

Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams.

Flag chat messages for violating policy

Allows the app to update Microsoft Teams 1-to-1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing.

Read all users' full profiles

Allows the app to read user profiles without a signed-in user.

Read files in all site collections

Allows the app to read all files in all site collections without a signed-in user.

Read and write all chat messages

Allows an app to read and write all chat messages in Microsoft Teams without a signed-in user.

Read items in all site collections

Allows the app to read documents and list items in all site collections without a signed-in user.

Read all hidden memberships

Allows the app to read the memberships of hidden groups and administrative units without a signed-in user.

Activating Microsoft Teams

Important:

  • To activate Microsoft Teams, you must have administrator access to Office 365.
  • To use the Communication DLP feature in Microsoft Teams, you must have any of these licenses:
    • E5 licenses
      • Office 365 E5/A5/G5
      • Microsoft 365 E5/A5/G5
      • Microsoft 365 E5/A5/F5/G5 Compliance and Microsoft 365 F5 Security & Compliance
      • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
    • E3 licenses
      Note - Customers can add the Microsoft 365 E5 Compliance add-on to these E3 licenses to enable Microsoft Teams support.
      • Enterprise Mobility + Security E3
      • Office 365 E3
      • Microsoft 365 E3

To activate Microsoft Teams:

  1. Navigate to Security Settings > SaaS Applications and click Start for Microsoft Teams.
  2. Click Start in the pop-up screen that appears.
  3. In the Microsoft Sign-in window that opens, sign in with your Microsoft administrator credentials.
    Note - Microsoft performs the authentication, and Avanan does not provide these credentials.
  4. In the authorization screen from Microsoft, click Accept to grant necessary permissions to Avanan.
    For the list of permissions requested from Microsoft, see Permissions for Microsoft Teams.
    The Microsoft Teams SaaS is enabled, and monitoring begins immediately.
    Microsoft-Teams

Deactivating Microsoft Teams

To deactivate Microsoft Teams:

  1. Navigate to Security Settings > SaaS Applications.
  2. Click Stop for Microsoft Teams.
    Microsoft-Teams-Stop

Microsoft Teams Security Settings

Customizing Tombstone Messages

If a message/file is tombstoned, a tombstone message will appear instead of the tombstoned message/file. The original message/file becomes inaccessible to the sender and the recipients in the chat/channel.

Administrators can customize the tombstone message for both messages and files.

To customize the tombstone messages:

  1. Navigate to Security Settings > SaaS Applications.
  2. Click Configure for Microsoft Teams.
  3. To customize the tombstone message for messages, update the Microsoft Teams Message field.
  4. To customize the tombstone message for files, update the Microsoft Teams Files field.
  5. To allow users to unblock tombstoned messages, enable the Allow unblock message checkbox.
    Microsoft-Teams-Configuration
  6. Click Save.

Configuring Microsoft Teams Policy

Malware Policy

By default, the Microsoft Teams malware policy scans for malicious content in the files sent using Microsoft Teams.

Supported Actions

Microsoft Teams malware policy supports these actions:

  • Tombstone of files and text messages that contain malicious content.
    • If malicious content is found, the sender will get the tombstoned message.
      tombstoned-message-1
      For information about unblocking the tombstoned message, see Unblocking Messages.
    • If malicious content is found, the recipient(s) will get the tombstoned message.
      teams-malware-receiver-msg
  • Alert sender: Sends an email notification to the sender of a file or message that contains malicious content.
  • Alert admin(s): Sends an email notification to the admin(s) about the malicious files or messages.

Configuring Malware Policy

To configure Malware policy:

  1. Click Policy on the left panel of the Avanan portal tenant.
  2. Click Add a New Policy Rule.
  3. From the Choose SaaS drop-down list, select Microsoft Teams.
  4. From the Choose Security drop-down list, select Malware and click Next.
  5. Select the desired protection mode (Detect and Remediate or Detect).
    If required, you can change the Rule Name.
  6. Under Blades, select the threat detection blades required for the policy.
    Note - To select all the blades available for malware detection, enable All running threat detection blades checkbox.
  7. Configure Actions required from the policy.
    • To tombstone messages, enable the Tombstone Message checkbox.
      Note - This option will be available only in Detect and Remediate protection mode and when URL Reputation threat detection blade is enabled.
    • To tombstone files, enable the Tombstone File checkbox.
      Note - This option will be available only in Detect and Remediate protection mode and when the Anti-Malware threat detection blade is enabled.
    • To send email alerts to the sender about malware in messages and files, enable the Alert sender - messages and Alert sender - files checkbox.
    • To send email alerts to admins about malware in messages and files, enable the Alert admin(s) - messages and Alert admin(s) - files checkbox.

    Notes:

    • Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role.
    • To customize the email alert templates, click on the gear icon to the right of the alert.
  8. Click Save and Apply.

DLP Policy

By default, the DLP policy scans the messages and files for potentially leaked information, such as credit card number and Social Security Number (SSN).

Supported Actions

Microsoft Teams DLP policy supports these actions:

  • Tombstone of files and text messages that contain sensitive information.
    • If sensitive information is found, the sender will get the tombstoned message.
      teams-dlp-sender-tombstone

      For information about unblocking the tombstoned message, see Unblocking Messages.
    • If sensitive information is found, the recipient(s) will get the tombstoned message.
      teams-malware-receiver-msg
  • Alert sender: Sends an email notification to the sender of a file or message that contains sensitive information.
  • Alert admin(s): Sends an email notification to the admin(s) about the files or messages that contain sensitive information.

Configuring DLP Policy

To configure DLP policy:

  1. Click Policy on the left panel of the Avanan portal tenant.
  2. Click Add a New Policy Rule.
  3. From the Choose SaaS drop-down list, select Microsoft Teams.
  4. From the Choose Security drop-down list, select DLP and click Next.
  5. Select the desired protection mode (Detect and Remediate or Detect).
    If required, you can change the Rule Name.
  6. Under DLP Criteria, select the DLP categories required for the policy.
    For more details about the DLP rules and categories, see DLP Built-in Rules and Categories.
  7. Select the sensitivity level required for the policy.
    • Very high (hit count > 0)
    • High (hit count > 2)
    • Medium (hit count > 5)
    • Low (hit count > 10)
    • Very Low (hit count > 20)
  8. To exclude DLP policy for the messages and files shared only with the internal users, enable the Skip Internal items checkbox.
  9. Configure Actions required from the policy.
    • To tombstone messages, enable the Tombstone Message checkbox.
      Note - This option will be available only when Detect and Remediate protection mode is enabled.
    • To tombstone files, enable the Tombstone File checkbox.
      Note - This option will be available only when Detect and Remediate protection mode is enabled.
    • To send email alerts to the sender about DLP in messages and files, enable the Alert sender - messages and Alert sender - files checkbox.
    • To send email alerts to admins about DLP in messages and files, enable the Alert admin(s) - messages and Alert admin(s) - files checkbox.

    Notes:

    • Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role.
    • To customize the email alert templates, click on the gear icon to the right of the alert.
  10. Click Save and Apply.

Secured Microsoft Teams Messages

Avanan connects with Microsoft Teams using Microsoft APIs.

As Microsoft APIs are primarily designed to tackle DLP challenges and not malware/phishing messages, they allow different security levels based on whether the sender is within the organization and whether it is a direct message or part of a team channel conversation. These limitations affect both DLP and malicious message scenarios.

Message Direction Message visible in the portal Generate events and alerts Block malicious messages and files
Direct messages
Messages within the organization (Internal > Internal) Yes Yes Yes
Messages sent from the organization to outside the organization (Internal > External) Yes Yes Yes
Messages sent from outside the organization to the organization (External > Internal) Yes Yes No
Messages sent in Microsoft Teams channels
Channels created by internal (protected) users Messages sent by internal users Yes Yes  Yes
Messages sent by external users Yes Yes Yes
Channel created by external users Messages sent by internal users No No No
Messages sent by external users No No No

 

Handling Partially Secured Messages

To protect the Microsoft Teams messages that cannot be inspected or tombstoned, administrators can do these:

  • Configure the Malware Policy and DLP Policy to receive alerts and respond quickly to the detected malicious messages from external parties.
  • Enhance the security settings for external meetings and chat with people outside the organization. See Microsoft documentation.

Secured Users

Like in any application, to protect a user's Microsoft Teams messages, the user must have one of the supported licenses. For more information, see Minimum Requirements.

Avanan does not protect messages sent by users and sent from external parties to users without a supported license. Also, these messages do not appear in the Avanan Portal.

If Avanan detects users with unsupported Microsoft Teams licenses, it shows the status on the Overview page.

  • If there are no users with a supported license, Avanan shows an error indicator that Microsoft Teams is not secured.
    Teams-nosupported-users-warning

  • If there are some users with unsupported licenses, Avanan shows a warning indicator that some of the users are not protected.
    Teams-unsupported-users-warning

Unblocking Messages

When malicious or sensitive information is detected, Harmony Email & Collaboration tombstones the messages.

To unblock the message, the user should click What can I do?.

  • If it is configured to allow unblocking the messages in Customizing Tombstoned Messages, the sender can select one of these.
    • To unblock the message:
      1. Select Override and send.
      2. Enter the justification for sending the message.
      3. Click Confirm.
    • To unblock the message and also report it to the administrator, the sender can select Override and send and report it to my admin and click Confirm.
      unblock-tombstoned-message-admin-allowed
  • If it is not configured to allow unblocking the messages, the sender will see the following message:
    unblock-tombstoned-message-admin-not-allowed

Viewing Microsoft Teams Security Events

Avanan records the Microsoft Teams detections as security events. The event type depends on the type of policy that created the event. You can handle the security events in different ways, whether they are detected/prevented automatically or discovered by the administrators after not being prevented.

The Events screen shows a detailed view of all the security events.

Teams-Events-page-new