Despite restrictions placed on the application’s use of files from outside sources, security researchers have discovered a straightforward method for delivering malware to an organization using Microsoft Teams.
As a communication and collaboration platform for the Microsoft 365 cloud-based services, Microsoft Teams has been adopted by organizations with 280 million monthly active users.
Max Corbridge and Tom Ellson, members of the Red Team at Jumpsec, a UK-based security services company, poked around and discovered a way to use Microsoft Teams with an account outside the target organization to deliver malware.
Table of Contents
Particulars of the attack
The attack works on Microsoft Teams with the default configuration, which lets you talk to accounts outside of your company called “external tenants” in Microsoft Teams.
Corbridge makes sense of in a report that while this correspondence scaffold would be enough for social designing and phishing assaults, the strategy they found is all the more impressive as it permits sending a vindictive payload straightforwardly to an objective inbox.
Client-side security measures in Microsoft Teams prevent external tenant accounts from sending files.
However, the Jumpsec Red Team members discovered that by altering the internal and external recipient IDs in a message’s POST request, they were able to circumvent the restriction and trick the system into thinking that an external user was an internal one.
“When sending the payload like this, it is actually hosted on a Sharepoint domain and the target downloads it from there. It appears, however, in the target inbox as a file, not a link.” – Jumpsec Labs
As part of a covert red team engagement, the researchers tested the method in the field and were able to successfully deliver a command and control payload to a target organization’s inbox.
With this attack, attackers are able to easily infect any organization that uses Microsoft Teams in its default configuration because it circumvents existing security measures and anti-phishing training.
In addition, if the attacker registers a domain on Microsoft 365 that is similar to the target organizations, their messages may appear to be sent from within the organization rather than an external tenant, increasing the likelihood that the target will download the file.
Microsoft’s solution
Assuming that the impact was significant enough to warrant an immediate response from the tech giant, the researchers reported their findings to Microsoft.
Despite Microsoft’s confirmation of the flaw’s existence, the company responded, “it does not meet the bar for immediate servicing,” indicating that the issue is not urgent enough for the company to address.
BleepingComputer has also contacted Microsoft to inquire about when they plan to address the issue and whether the severity of it has been reconsidered; however, as of this writing, we have not received a response.
Disabling this feature from “Microsoft Teams Admin Center > External Access” is the recommended action for organizations that use Microsoft Teams but do not require regular communication with external tenants.
Organizations can reduce the risk of exploitation by defining specific domains in an allow-list if external communication channels must be maintained.
Additionally, Jumpsec researchers requested that external tenant-related events be included in the software’s logging. This could aid in the prevention of attacks as they unfold, so please vote in favor of this request.
