As the world quickly transitioned to remote work due to COVID-19, companies were forced to make dramatic changes in how they operated. To keep employees safe and productive, companies adopted communication platforms like Teams, Zoom, Slack en masse. And while those tools fundamentally changed the way many of us work, they have also created new opportunities for attackers to leverage them for nefarious purposes. In this session, we will discuss how attackers have used the global pandemic to their advantage and will specifically dive into a worm-like vulnerability discovered in Microsoft Teams that could be used to take over an organization’s entire roster of Teams accounts. We’ll discuss how this vulnerability was found, the reasons it was able to be exploited – including Microsoft’s use of modern authentication and authorization protocols like OAuth and OpenID connect, and how implementation choices opened the platform up to security flaws. We will show how incorrect token handling can expose the authentication and authorization system mechanism of the platform to dangerously security flaws.