Retrieving Files You’ve Uploaded to Microsoft Teams

The use of Cloud infrastructure has substantially grown over the years. As people become more comfortable with the technology, it will certainly continue to grow. With comfortability, comes an overabundance and reliance on the use of the platforms in the Cloud. While this could be great for users and organizations, there is also the chance of abuse or misuse.

Microsoft offers a suite of platforms that are useful for production. One example of that is Microsoft Teams. If a user has a desire to download all the files they have uploaded to Teams because they just want a copy of the data for one reason or another, they can accomplish this via the GUI or through the commandline.

The files you upload in Microsoft Teams in chats are uploaded to your personal OneDrive within the Tenant you are a part of. If you upload a file within a Teams, that data is actually stored in SharePoint within the Tenant. With that understanding, we will focus on retrieving the files that you uploaded to a chat.

To accomplish this via the GUI, you can navigate to here and log in. Once you are authenticated, you will select the radio button and then the Download button, as depicted in Figure 1. A zip file of all the data will be downloaded to your system.

Figure 1

To accomplish this via the commandline, you can use the script that I developed that is posted here. There are a few parameters that you will need to supply to the script. One of them is the URL to your personal OneDrive within the Tenant’s space that your files reside. You will also need to supply your user name as well as a destination to save the data. Once you execute the script, you will be prompted to log into your account, and then the script will continue, as shown in Figure 2.

Figure 2

From a malicious standpoint, this could be a method employed by an actor after gaining access to your machine. There is some piece in that you will need to authenticate to Teams prior to being able to download the data however if your system is compromised and you already have a session with the Tenant, that is a different story.

Copyright © 2024 Cyber Fibers