Our team has created a chatbot with microsoft bot framework.(Nodejs) and the chatbot is deployed in teams via its manifest by the tenant admin of an organization.
I had a few questions on securities-(Questions are just related to teams bot)
1)How easy would it be for a malicious user to emulate the teams channel endpoint.? (The bot uses 3 layers of verification in the OnMessage activity handler. (Graph Api and some other organization specific ones) But the problem is we are using teamsinfo.getmembers(context) API call to get the email id of the user from teams to go through these verification.
2)Is the teamsinfo.getmembers(context) vulnerable? Could any malicious user be able to provide a duplicate exact turn context of any existing authentic user?
