Microsoft Teams attack skips the phish to deliver malware directly

A bug in the latest version of Microsoft Teams allows for external sources to send files to an organization’s employees even though the application typically blocks such activity, researchers have found. This give threat actors an alternative to complex and expensive phishing campaigns to deliver malware into target organizations — but Microsoft won’t be addressing it as a priority.

Researchers Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC Labs’ Red Team discovered a way to exploit the Microsoft Teams External Tenants feature to slip malware into files sent to an organization’s employees, thus bypassing nearly all modern anti-phishing protections, they revealed in a blog post published this week.

“This vulnerability affects every organization using Teams in the default configuration,” Corbridge wrote in the post. “As such it has huge potential reach and could be leveraged by threat actors to bypass many traditional payload delivery security controls.”

Teams is Microsoft’s widely used hosted messaging and file-sharing app, which already was used by an estimated 91% of Fortune 100 organizations before the Covid-19 pandemic, according to Microsoft financial data. During the pandemic, the use of Teams expanded even further, as many organizations came to rely on it to communicate and collaborate with their remote workforce.

Though Teams is typically used for communication between employees within the same organization, Microsoft’s default configuration for teams allows users from outside the company to reach out to its employees, the researchers said. This is where the opportunity arises for threat actors to exploit the app to deliver malware, they said.

This can be done by bypassing client-side security controls that prevent external tenants from sending files —which in this case, would be malicious — to internal users, the researchers explained.

How the Microsoft Teams Exploit Works

The vulnerability lies in a capability that allows any Microsoft Teams allows user with a Microsoft account to reach out to what are called “external tenancies,” the researchers explained. In this case, these tenancies would be any business or organization using Microsoft teams, which each have their own tenancy.

“Users from one tenancy are able to send messages to users in another tenancy,” Corbridge explained. “When doing so, an ‘External’ banner appears alongside the name.”

Though some employees might not click on a message from an external source, many would, something that Corbridge said the researchers already proved as part of a red-team engagement aimed at gaining an initial foothold in a client’s environment.

“This is especially true if the malicious party is impersonating a known member of your organization and has purchased and registered a brand-impersonation domain, as red teams often do,” he noted in the post.

Though external tenants in Teams are blocked from sending files to staff in another organization — unlike their ability to send files between employees in a single organization or tenancy — Corbridge said he and JUMPSEC’s head of offensive security Tom Ellson were able to bypass this control within 10 minutes.

To read the complete article, visit Dark Reading.