VNX-SEC-044 – Microsoft Teams Webhook URL

Overview

This rule detects Microsoft Teams incoming webhook URLs in the form https://*.webhook.office.com/webhookb2/.... These URLs grant the ability to post messages to a Teams channel and are commonly leaked in CI logs and public config files.

Severity: High | CWE: CWE-798 – Use of Hard-coded Credentials

Why This Matters

A leaked Teams webhook URL lets any attacker post to the channel, which is often the same channel where incident-response and security alerts are delivered. The attacker can use this for phishing (fake “your password expires today” messages), social engineering, or simply to drown out real alerts with noise.

Microsoft has deprecated the legacy Office 365 Connectors in favour of Workflows, but a large number of pre-2025 webhooks remain valid.

Remediation

1. Delete the webhook in Teams → Channel • • • → Connectors → Incoming Webhook → Configure → Delete.
2. Migrate to a Power Automate workflow with an HTTP trigger and an Azure AD-protected endpoint.
3. Store the new webhook URL in Azure Key Vault or GitHub Actions secrets.
4. Audit Teams channel activity for messages you did not post.
5. Purge from git history with git filter-repo.

References

• Microsoft Teams Incoming Webhooks
• Microsoft 365 Connectors retirement
• CWE-798: Use of Hard-coded Credentials
• gitleaks microsoft-teams-webhook
• MITRE ATT&CK T1566 – Phishing