Advisory ID: NCC-CSIRT-120723-025
Summary: A tool named TeamsPhisher has been uncovered by a researcher from the U.S. Navy's red team. This tool exploits a security vulnerability in Microsoft Teams, enabling attackers to bypass file-sending restrictions and deliver malware from an external account. If successfully exploited, this vulnerability allows attackers to bypass restrictions on incoming files from users outside of a targeted organization, known as external tenants.
Vulnerable Platform(s): Microsoft Teams
Threat Type: Malware
Impact/Probability: CRITICAL/HIGH
Product : Microsoft Teams
Version: All Version
Description: The researcher explains that the Microsoft Teams application has client-side protections that can be deceived, treating an external user as an internal one simply by altering the ID in the POST request of a message. To carry out this attack, a Python-based tool called "TeamsPhisher" has been developed, offering a fully automated approach.
TeamsPhisher performs several steps to execute the attack successfully. It first verifies the target user's existence and their ability to receive external messages, which is a crucial requirement for the attack to proceed. It then creates a new thread with the target user and sends them a message containing a Sharepoint attachment link. This thread becomes visible in the sender's Teams interface, potentially allowing for manual interaction.
Initially, TeamsPhisher requires users to have a Microsoft Business account, including a valid Teams and Sharepoint license, which is commonly found in many large companies. The tool also offers a "preview mode" to help users verify the target lists and ensure the appearance of messages from the recipient's perspective. Additionally, TeamsPhisher provides other features such as sending secure file links that can only be accessed by the intended recipient, specifying delays between message transmissions to bypass rate limiting, and generating log files to record outputs.
Consquences: TeamsPhisher tool can allow sending a malicious payload directly to a target Microsoft Teams' inbox.
Solution: At present, there is no specific solution as Microsoft has not made a decision regarding corrective actions for this vulnerability. However, the following measures are recommended:
- Microsoft Teams users should adopt safe online computing practices, such as being cautious when clicking on web page links, opening unfamiliar files, or accepting file transfers.
- Organizations are strongly advised to disable external tenant communications if not required.
- Organizations should establish an allow-list comprising trusted domains to minimize the risk of exploitation.
References:
https://www.bleepingcomputer.com/news/security/new-tool-exploits-microsoft-teams-bug-to-send-malware-to-users/
https://www.bleepingcomputer.com/news/security/microsoft-teams-bug-allows-malware-delivery-from-external-accounts/
https://www.hkcert.org/security-news?item_per_page=10&year%5B%5D=2023&month%5B%5D=06&month%5B%5D=07