A tool labeled TeamsPhisher was published recently on GitHub by a member of the U.S. Navy red team in an attempt to highlight and resolve a security issue within the business communication platform Microsoft Teams.
The tool works to bypass and exploit Microsoft Teams to allow unsolicited external files to be sent, allowing hackers to send messages to anyone despite not being a part of the recipient's organization.
Microsoft Teams has client-side protection to deny files coming in from external accounts, but the Red Team members found that it was possible to avoid those restrictions by changing the internal and external recipient ID in the post request of a message and ultimately making the system believe that the sender is an internal user when they are an external user.
TeamsPhisher is a Python-based tool that can conduct a fully automated attack that sends any desired attachment, subject, and message to the target user or organization. The attack can avoid the anti-phishing training and other security measures that Microsoft has in place, and attackers can disguise their domains as the target organization within Microsoft 365.
As a prerequisite of the attack, it makes sure to verify the existence of the target account and whether the target is capable of receiving external messages. TeamsPhisher also requires that the target has a Microsoft Business account as well as a Sharepoint and Teams license. If those thresholds are met, TeamsPhisher will create a thread, add the Sharepoint attachments, and hope for an interaction by the user.
Max Corbridge and Tom Ellson, members of the Red Team at JumpSec, stumbled across this potential exploit and immediately worked towards highlighting this issue for Microsoft to handle. Once addressed to Microsoft, the company acknowledged the existence of the vulnerability but declined to work on fixing it, according to the researchers, saying the issue does not meet the bar for immediate servicing."
So what's next for Microsoft Teams users? It is suggested that communication with external tenants be halted and only lists of trusted domains be allowed—at least until Microsoft takes action.
