Attackers could have used bug to get read/write privileges for a victim user s email, Teams chats, OneDrive, Sharepoint and loads of other services. Microsoft has since fixed the bug, but Tenable’s Evan Grant analyzed how it might have been exploited. Such attacks could be carried out via a malicious Microsoft Teams tab and Power Automate flows. Microsoft Teams has a default feature that allows a user to launch small apps as a tab in any team they belong to.
Source: https://threatpost.com/microsoft-teams-tabs-bec/166909/