Microsoft Teams Bug Allows for Malware Delivery, But No Priority for Fix
The Vulnerability
Researchers from JUMPSEC Labs’ Red Team have discovered a bug in the latest version of Microsoft Teams that enables threat actors to send files containing malware to an organization’s employees. This exploit takes advantage of the Microsoft Teams External Tenants feature, allowing external sources to bypass anti-phishing protections and deliver malicious payloads. The vulnerability affects all organizations using Teams in the default configuration, making it a significant concern due to the broad reach it has potential to achieve.
How the Exploit Works
The vulnerability leverages the capability of the Microsoft Teams application to allow users from different organizations, referred to as “external tenancies,” to communicate with each other. While external tenants are typically blocked from sending files to staff in another organization, the researchers were able to bypass this control using a traditional IDOR (Insecure Direct Object Reference) technique. By switching the internal and external recipient ID on the POST request, the payload is hosted on a SharePoint domain, making it appear like a file in the target’s Teams inbox. This method provides threat actors with a straightforward and reliable avenue for delivering malware without the need for complex phishing campaigns.
Potential Impact and Exploitation
This bug presents a potential avenue for threat actors to deliver malware to organizations without resorting to socially-engineered email messages. By purchasing a similar domain to the target organization and registering it with Microsoft 365, threat actors can create a legitimate Teams tenancy without the need for intricate phishing infrastructure. By exploiting the vulnerability, a payload can be served via a trusted SharePoint domain, inheriting the trust reputation of SharePoint itself. Additionally, threat actors can engage in social engineering tactics, starting conversations with employees and even participating in Teams calls, sharing screens, and conducting further nefarious activities or delivering the payload themselves.
Lack of Priority for Fix
The researchers reported the vulnerability to Microsoft, who acknowledged its legitimacy but stated that it did not meet the threshold for immediate servicing. As a result, Microsoft currently has no plans to address this bug as a priority. This decision is concerning, as Microsoft Teams is widely used by organizations, especially during the COVID-19 pandemic when remote work reliance increased significantly.
Mitigations and Protections
Organizations can take several steps to mitigate the risk posed by this vulnerability. Firstly, they can review whether there is a business requirement for external tenants to have permission to message staff and, if not, remove this option in the Microsoft Teams Admin Center. If communication with external tenants is necessary, but limited to a few organizations, administrators can configure Team security settings to only allow communication with specific allow-listed domains. Educating staff about the possibility of social engineering campaigns in productivity apps like Teams, Slack, and SharePoint, similar to those found in email messages, can also help employees avoid compromise.
Organizations should also consider using web proxy logs to provide alerts or baseline visibility into staff members accepting external-message requests. Although this may be challenging to implement effectively, it can provide some insight into how common this type of transaction is within an organization, allowing for potential mitigation.
Conclusion
The bug in Microsoft Teams that enables malware delivery through external sources is a significant concern for organizations using the application. Despite its potential impact and the straightforward nature of the exploit, Microsoft has not designated it a priority for fixing. In light of this, organizations must take necessary precautions and implement mitigations to protect their employees and sensitive data from potential attacks. Continuous monitoring, awareness training, and implementing access limitations are crucial steps in maintaining a secure environment within the Microsoft Teams platform.
<< photo by Kenny Eliason >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Microsoft Teams’ Security Features Under Scrutiny As Cyberattacks Increase
- “The Battle Against Election Interference: Treasury’s Sanctions Target Russian Intelligence Officers “
- The Growing Landscape of Cybersecurity in Asia: Insights from Black Hat Asia 2023
- The NSA’s Comprehensive Measures to Combat BlackLotus Bootkit Infections
- The Importance of Disconnecting: Why Shutting Down Your Phone for 5 Minutes Isn’t Enough
- The Rising Threats in the Tech World: Microsoft’s App Isolation, Tsunami on Linux Servers, and ChatGPT’s Dark Web Exposure
- The Rise of the Infrastructure Security Engineer: Navigating Complexity and Demand
- How the Buhti Ransomware is Targeting Organizations Worldwide
- US and Guam’s critical infrastructure under attack by Chinese-linked hackers