Such an assessment was carried out by the country's National Cyber Security Center after it received a report from Darius Povilaitis, technical security manager at Telia Lietuva, under the responsible disclosure procedure and carried out an additional assessment of the situation.
"The services of states hostile to Lithuania are constantly looking for new attack vectors. Our assessment of the public sector has shown that the vast majority of organizations have not made the necessary changes to their MS Teams settings and, as a result, their employees may become targets of malicious actors when communicating virtually on the MS Teams platform," said Jonas Skardinskas, acting head of the NCSC.
It was found that MS Teams' initial settings allow any person who has a registered MS Teams account and knows the name of another registered user and the organization they represent to directly contact that person via a chat, to write messages, send various files and make calls, the ministry said.
Outsiders using MS Teams accounts for business can even see the status of these employees, e.g. "available", "away".
Moreover, the MS Teams app also makes it easy to impersonate any other person, making it difficult for an employee to confirm the identity of a person contacting them through the MS Teams chat.
"If left unchanged, these MS Teams functionalities allow malicious actors to carry out social engineering attacks, and the NCSC strongly recommends organizations to change MS Teams' initial settings and restrict external access," the statement said.