A new attack chain, discovered by cybersecurity expert Bobby Rauch, exposed numerous vulnerabilities in Microsoft Teams that could be chained together to extract data, using none other than modified GIFs.
The new technique, shared with Bleeping Computer on Thursday, manipulates multiple vulnerabilities and flaws within the Microsoft Teams system, allowing external users to send embedded attachments to users by bypassing MS security controls, causing a big concern for businesses worried about cybersecurity.
Some flaws, discovered by Bobby Rauch in his investigation, mean attackers could modify sent attachments in Microsoft Teams, causing users to download malicious files from external URLs, rather than the link or file intended — leaving more businesses vulnerable.
Here’s what you need to know, and how it works.
How the Attack Chain Works
The new attack chain works by tricking users into installing a malicious stager, which then scans, extracts, and stores all messages received in the Microsoft Teams log folder. Once installed, attackers are able to create their own Tenant, and therefore contact Microsoft Teams users outside of their organization, allowing them to send malicious files and extract information via modified GIFs.
The modified GIFs are selectively sent to targeted users and include commands to retrieve information from a device. The information is then sent to the Microsoft Teams logs folder where it is monitored and automatically extracted by the malicious stager, giving attackers access to all coded commands, including user login information.
While Microsoft doesn’t allow external users to send attachments to other Tenants, Rauch’s research revealed that images, and the Sharepoint link embedded in a JSON POST can be modified to include any external link an attacker wants, including Windows URIS, which can automatically launch an application to retrieve a document, bypassing Microsoft Teams’ security
Should Microsoft Team Users Be Concerned?
Not everyone thinks so. While Microsoft did respond to the findings, it also declined to take any action immediately.
“We’ve assessed the techniques reported by this researcher and have determined that the two mentioned do not meet the bar for an urgent security fix. We’re constantly looking at new ways to better resist phishing to help ensure customer security and may take action in a future release to help mitigate this technique.” – a Microsoft spokesperson.
Rauch, however, argued that a response should be more immediate, citing vulnerabilities like the fact that Microsoft Teams runs as a background process, which means attackers will be able to execute commands without the program even needing to be opened.
How to Protect Your Business From Phishing Attacks
While Microsoft declined to treat Rauch’s revelations as an urgent matter, there are a few things you can do to keep guard.
- Always be suspicious of images or messages that ask you to click, call, or open immediately.
- Do not click on any links.
- Consider using a VPN
- Always use multifactor authentication
- Always ensure your system is updated.
- Consider installing malware protection.
- If you get a message from someone you don't recognize, flag with IT.
- If you suspect a message is a scam, don't click on any links or attachments that you see. Instead, hover your mouse over to see if the address matches the link in the message and tread with caution.
“This research demonstrates how it is possible to send highly convincing phishing attachments to victims through Microsoft Teams, without any way for a user to pre-screen whether the linked attachment is malicious or not.” – Bobby Rauch.
Should My Business Still Use Microsoft Teams?
While the vulnerabilities exposed by Rauch's research are something to be cautious of, all web conferencing software is subject to security risks.
In comparison to other brands on the market, Microsoft Teams is still a top choice. With regular updates, you'll be able to ensure your system as secure as it can be, but if you're interested in other software, there are plenty of choices out there.
For ease of use more, we'd recommend Zoom or Google Meet as they offer great audio, video quality, and integrate with the majority of other platforms, but, if you're not deterred, MS teams is still a good option.