Description
- Type: CUSTOMER
- Severity: WARNING
- Protection against: MISCONFIGURATION
- FIX Available: YES
This Customer Check checks whether messages in Teams are scanned for unsafe files. When this feature is enabled, files with potentially dangerous extensions that users receive or send within Teams are blocked or marked with a warning.
Why this check?
Microsoft Teams is exploited by attackers as a distribution channel for malware and malicious files. Users often trust files shared via Teams more than email attachments because they come from known colleagues. This makes Teams an attractive target for attackers who have gained access to an account or who use social engineering techniques.
The FileTypeCheck feature for Teams automatically blocks files with dangerous extensions such as executables (.exe, .dll), scripts (.bat, .vbs, .ps1), and other file types commonly used to distribute malware. Microsoft maintains a fixed list of over 70 file extensions that are automatically blocked. When a user attempts to send or open such a file, a warning is displayed.
Without this protection, attackers can easily distribute malware, ransomware, or other malicious files via Teams messages. This can lead to widespread infections within your organization, data breaches, or system compromise. It is therefore essential that this feature is enabled for all users.
What are the possible outcomes of this check?
This check has two possible outcomes. In Attic this is reflected as follows:
- Okay: Teams messages are scanned for unsafe files (FileTypeCheck is enabled)
- Warning: Teams messages are NOT scanned for unsafe files, customer action is required
How should this be followed up?
If the output is Warning, we advise to enable file type checking for Teams messages. This ensures that users are protected against receiving or sending potentially dangerous files.
For this check, a Fix is available, which we will offer via Attic. The fix enables the FileTypeCheck for Teams messages.
Manual Instructions
Follow these steps to manually adjust the setting:
- Open PowerShell and connect to Teams using the Teams PowerShell module with the command:
Connect-MicrosoftTeams - Check the current setting with the command:
Get-CsTeamsMessagingConfiguration -Identity Global | Select-Object FileTypeCheck - Enable file type checking with the command:
Set-CsTeamsMessagingConfiguration -Identity Global -FileTypeCheck Enabled - Verify the change by repeating step 2. The value of FileTypeCheck should now be "Enabled"
Blocked File Extensions
When FileTypeCheck is enabled, the following file extensions are automatically blocked by Microsoft. This list cannot be modified by administrators:
ace, ani, apk, app, appx, arj, bat, cab, cmd, com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z
These extensions are selected because they are often used for executing code, installing software, or modifying system settings - all actions that are exploited by attackers.
Impact
This change has the following impact on users and administrators:
- For users: Users can no longer send or receive files with the blocked extensions. If they try, they will see an error message. This may be experienced as disruptive for legitimate use of, for example, .exe files for software distribution. In that case, alternative methods must be used (such as a secure file sharing service or a password-protected zip file).
Comments
0 comments
Please sign in to leave a comment.