A New Tool Exploits a Microsoft Teams Bug To Send Malware To Users

(CTN News) – The Marine Corps’ red team has published a tool called TeamsPhisher that exploits an unresolved security issue in Microsoft Teams to bypass restrictions on incoming files from outside of a targeted organization, known as external tenants.

There is a bug in the tool which exploits a vulnerability highlighted last month by Max Corbridge and Tom Ellson of the UK-based company Jumpsec, who explained how an attacker could easily exploit Microsoft Teams’ file-sending restriction to deliver malware via an external account by circumventing its file-sending restrictions.

By changing the ID in the POST request of a message, the application administration can trick the client-side protections into treating an external user as an internal user. The trick is done by changing the ID in the POST request of a message.

Streamlining attacks on Teams

The Python-based tool TeamsPhisher can be used to automate attacks on your team. With this tool, Jumpsec’s researchers have combined their attack concept with Andrea Santese’s techniques, as well as Bastian Kanbach’s ‘TeamsEnum’ tool, which incorporates authentication and helper functions developed by Kanbach.

TeamsPhisher is described as follows by Alex Reid, the developer of the red team utility: “Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender’s Sharepoint, and then iterate through the list of targets.”.

TeamsPhisher must first verify the existence and ability of the target user to receive external messages in order for the attack to succeed.

After creating a new thread with the target, it sends them a message containing a Sharepoint attachment link. In the Teams interface of the sender, the thread appears for (potential) manual intervention by the sender.

The TeamsPhisher application requires users to have a Microsoft Business account (MFA is supported) as well as a valid Teams and SharePoint license.

There is also a “preview mode” available in the tool, which allows users to verify the set target lists and to evaluate the appearance of messages from the perspective of the recipient.

TeamsPhisher also includes other features and optional arguments that can be used to refine the attack. To avoid rate limiting, secure file links can be sent that can only be viewed by the intended recipient, a delay between message transmissions can be specified, and log files can be created to record the results.

Unsolved problem

Despite Microsoft’s assurances, the issue exploited by TeamsPhisher is still present, and Jumpsec researchers were not able to obtain an immediate fix.

Last month, BleepingComputer also contacted the company for a comment regarding plans to fix the problem, but did not receive a response. Our request for comment from Microsoft was reiterated, but no response was received at the time of publication.

In spite of the fact that TeamPhisher was created for authorized red team operations, threat actors can also use it in order to deliver malware to target organizations without setting off alarms.

It is strongly recommended that organizations disable communications with external tenants if they are not required until Microsoft takes action. In addition, they may create an allow-list with trusted domains in order to limit the risk of exploitation.

SEE ALSO:

In The Near Future, WhatsApp Will Let You Send High-Quality Videos