Any idea what's the risk exposure when somebody accidentally loses the incoming webhook url for a Microsoft Teams channel?
To my understanding, data like team members or messages are not accessible and basically the person having the url could potentially just spam the channel but not really extract anything?
The biggest risk is, that (unless I understand something wrong) if someone with malicious intent got that URL, he/she could send Actionable Message with form and send the contents of that form to endpoint that is beyond your control. They could e.g. disguise that form as form provided by HR and requesting some sensitive info.
This seems like a huge hole in security, and I still think/hope that I just understand it wrong.
