A member of the US Navy's information security research team has this week published an experimental tool that exploits incoming file restraints within Microsoft Teams.
Named TeamsPhisher, the Python-based tool takes advantage of an unresolved security flaw. It means attackers can bypass Teams’ file-sending restrictions to undertake standard phishing or infection techniques, such as sharing malware.
While the TeamsPhisher tool was created for authorized U.S Navy operations, it flagged up the wider security risk that threat actors can use to target businesses. This appears to be the latest in cybersecurity issues currently plaguing Microsoft, having recently denied large scale DDoS attacks.
How Does TeamsPhisher Work?
Ultimately what’s happening here is that the client-side systems are being tricked into thinking of an external user as an internal Teams one. TeamsPhisher does this by changing the ID in a message’s POST request, and all that’s needed to use it is a valid Teams and Sharepoint license.
The tool begins by verifying that the target user exists and can receive external messages. From there, it creates a new thread between itself and the target and sends a message with a Sharepoint attachment link.
The attacks can be batched, by giving TeamsPhisher the attachment, a message and list of users to target. It will upload the attachment to the sender’s Sharepoint and work through each recipient while repeating its actions.
The tool is sophisticated enough to provide a preview for attackers, helping them verify their target lists and ensure the message looks unsuspecting from a recipient’s point of view. A number of features could even be used to refine attacks, including sending secure file links that can only be viewed by the chosen recipient.
Although the tool was built for authorized red team operations, it's clear to see how easily malicious actors could take advantage of the tool and these vulnerabilities.
A Resolution Won't Be Immediate
The issue that TeamsPhisher exploits was initially flagged last month by UK-based cybersecurity experts Jumpsec. Microsoft was made aware of it, but told Jumpsec researchers that it didn’t meet the bar for immediate servicing.
Despite the ability for attackers to spread malware without being detected, Microsoft has stated that it considers the attacks to rely on social engineering to be successful.
In a statement to BleepingComputer, Microsoft added “we encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”
So while a system repair may not be on the horizon right now, there are a few safety precautions organizations can take to protect from getting attacked: Creating an allow-list for trusted domains can help limit the risk, as can disabling communication with external tenants if they’re not explicitly needed.