Malware delivery to Microsoft Teams users made easy

A tool that automates the delivery of malware from external attackers to target employees’ Microsoft Teams inbox has been released.

TeamsPhisher (Source: Alex Reid)

About the exploited vulnerability

As noted by Jumpsec researchers Max Corbridge and Tom Ellson, Microsoft Teams’ default configuration lets external tenants (i.e., M365 users outside the organization) message an organization’s employees.

The same configuration doesn’t allow external tenants to send files, but that restriction can be bypassed by switching the internal and external recipient ID on the POST request, the researchers found.

“When this vulnerability is combined with social engineering via Teams it becomes very easy to start a back-and-forth conversation, jump on a call, share screens, and more,” Corbridge explained.

Microsoft says that the flaw does not “meet the bar for immediate servicing” since successfull exploitation hinges on social engineering.

About TeamsPhisher

TeamsPhisher is a Python-based tool created by red teamer Alex Reid that allows attackers (authorized or not) to deliver attachments to Microsoft Teams users.

TeamsPhisher incorporates Corbridge’s and Ellson’s technique for manipulating Teams web requests, earlier techniques disclosed by red teamer Andrea Santese, and uses the TeamsEnum Python script (by Secure Systems Engineering security consultant Bastian Kanbach) to find existing Microsoft Teams users.

“TeamsPhisher requires that users have a Microsoft Business account (as opposed to a personal one e.g. @hotmail, @outlook, etc) with a valid Teams and Sharepoint license. This means you will need an AAD tenant and at least one user with a corresponding license. At the time of publication, there are some free trial licenses available in the AAD license center that fulfill the requirements for this tool,” Reid explained.

Using the tool is easy: the red teamer / attacker provides the malicious attachment, a message, and a list of target Teams users. The attachment is uploaded to the sender’s Sharepoint.

TeamsPhisher finds the target user, then creates a new group chat by including the target’s email twice.

Phishing email sent via TeamsPhisher – From the target’s point of view (Source: Alex Reid)

“With the new thread created between our sender and the target, the specified message will be sent to the user along with a link to the attachment in Sharepoint,” he concluded.

The tool also has the option to make targets authenticate to view the attachment in Sharepoint – a step that just may convince the target to do it.

What to do until the flaw is fixed

Reid pointed out that organizations can mitigate the risk posed by this vulnerability by managing the options related to external access via the Microsoft Teams admin center. “Microsoft provides flexibility to organizations to choose the best permissions to fit their needs, including a universal block as well as whitelisting only specific external tenants for communications.”

Microsoft has urged customers to be careful when clicking on links to web pages, opening unknown files, or accepting file transfers.