We were inspired to see how we can utilize the Microsoft Graph API to protect potential security vulnerabilities within the different applications within the Office 365 network. We zoned our interest into Microsoft Teams, which is a unified communications platform that allows users to exchange messages within channels. We saw that there was not much malware detection available within Microsoft Teams. However, this is a potential cybersecurity vulnerability as messages containing phishing links may be sent throughout channels within Teams from hacked users. Our project aimed to protect this vulnerability by creating a phishing detector that scans URLs processed through Teams messages via the Google Safe Browsing API and alert the admin of the channel of a potentially hacked user through the Microsoft Graph API.
What it does
The Microsoft Teams Phishing Detector runs by processing every URL passed through a PostMessage method. A URL parse method takes a URL from messages and sends it through the Google Safe Browsing API. The API outputs were simplified to return a "true" indicated that the URL is safe to click on, or a "false" indicating that the URL contains phishing schemes and/or malicious content. When the return is false, a message is automatically generated within Teams saying that a user tried to upload a unsafe link and the message containing that link will not be displayed. From there, an alert (.JSON object) is generated and sent to the admin of the channel indicating that a certain user tried to send a phishing link. The alert would contain details of the phishing attack and how it was triggered.
How we built it
The Microsoft Teams code is forked via this GitHub repository (https://github.com/microsoftgraph/csharp-teams-sample-graph) and it is built in C# .NET framework in Visual Basic. By replacing certain parameters, the code allows ease in terms of obtaining an authentication token with much ease through built-in HTTP requests. The PostMessage() method in GraphService.cs file was manipulated so that it parses each message for a URL through a RegEx command. The URL is processed through a Java-based application (forked and edited from this GitHub repository: https://github.com/kalinchih/google-safe_browsing-api-v4) that takes in a URL as a parameter, processes it through the Google Safe Browsing API and returns whether or not the URL leads to a safe website. The Java code was packaged into an executable .jar program and pipelined into the C# code through a Java Virtual Machine (JVM). If the Google Safe Browse API returns false, an alert object is created and is sent to be displayed on the Alerts tab of the website. A message is also sent through the Teams UI that indicates that the link is suspicious.
Challenges we ran into
There many challenges we ran into with this project, the biggest being dealing with initializing the original program.We were a little confused when it came to authorization and receiving authentication token as it didn't work. Furthermore, the .NET framework was compatible only with ADAL framework (Microsoft Azure v1 endpoint) and it was very challenging to convert to the MSAL framework (Microsoft Azure v2 beta endpoint), so we continued to use ADAL. Lastly, the Security.ReadWrite permission to generate alerts with Office 365 applications is still in development so a workaround had to be done to utilize these alerts.
Accomplishments that we're proud of
We are proud that were able to incorporate the Google Safe Browse API into the C# code to verify URLs since the API was based off of a Java based application and isn't necessarily compatible with a .NET environment unless a JVM is ported into the code.
What we learned
We both did had minimal experience coding in C# in a .NET environment so this we was great experience for both of us learning a new language. Furthermore, this was our first time ever using the Microsoft Azure Portal and using an Office Developer account to retrieve authentication tokens so it was great experience in learning different utilities of REST.
What's next for Microsoft Teams Phishing Detection
We want to improve the URL verification capabilities through more verification APIs. We have specific interest in the Phish AI API (GitHub Repo: https://github.com/phishai/phish-ai-api), which is a computer vision based phishing detector that screenshots suspicious websites and compares them with look-alike websites to determine whether or not the website is fraudulent. Unfortunately, even though the API is open source, it requires an API key which we were not able to get.