Automated Malware Delivered via Microsoft Teams Exploit Tool

Dubbed "TeamsPhisher," the tool enables penetration testers and adversaries to deliver threatening files directly to a Teams user from an outside environment. 

Attackers now have access to a powerful " TeamsPhisher " tool that exploits a recently disclosed vulnerability in Microsoft Teams. This tool provides a seamless way to deliver corrupted files to specific users within an organization using Teams. By taking advantage of the communication capabilities between internal and external Teams users, attackers can directly insert harmful payloads into victims' inboxes without the need for conventional phishing or social engineering tactics. The availability of this tool raises concerns about the potential for increased targeted attacks and highlights the importance of organizations bolstering their security measures to protect against such threats.

Prerequisites and Modus Operandi

According to the tool's developer, Alex Reid, a US Navy Red Team member, TeamsPhisher can be instructed to upload an attachment to the sender's Sharepoint and proceed to target a specified list of Teams users. This process involves providing the tool with an attachment, a message, and a list of target users. TeamsPhisher will then carry out the necessary steps to execute the intended actions.

TeamsPhisher utilizes a technique recently revealed by JUMPSEC Labs researchers Max Corbridge and Tom Ellson to overcome a security limitation in Microsoft Teams. While the collaboration platform permits communication between users from different organizations, file sharing is restricted. However, Corbridge and Ellson identified an Insecure Direct Object Reference (IDOR) vulnerability, which allowed them to bypass this restriction effectively.

By manipulating the ID of the internal and external recipient in a POST request, they discovered that a payload sent in this manner would reside in the sender's SharePoint domain and land on the recipient's Teams inbox. This vulnerability affects all organizations using Teams in a default configuration, enabling attackers to circumvent anti-phishing measures and other security controls. Despite Microsoft's acknowledgment of the issue, they have deemed it not an immediate priority for remediation. As a result, organizations must remain vigilant and take proactive measures to mitigate this potential security risk.

Reid's TeamsPhisher tool combines techniques from JUMPSEC, Andrea Santese, and Secure Systems Engineering GmbH. It leverages TeamsEnum for user enumeration and incorporates methods for initial access. TeamsPhisher verifies a target user's ability to receive external messages and creates a new thread to deliver the message directly to the inbox, bypassing the usual confirmation screen. Once the new thread has started, the message and the Sharepoint attachment link will go to the target user. After sending the initial message, the sender can view and interact with the created thread in their Teams GUI, addressing any specific cases as necessary."

Sources reached out to Microsoft for comment on the impact of TeamsPhisher's release on their approach to addressing the discovered vulnerability, but a response has yet to be received. JUMPSEC has recommended that organizations using Microsoft Teams assess the necessity of enabling communication between internal users and external tenants. "If you do not regularly communicate with external tenants on Teams, it is advisable to enhance your security controls and disable this option entirely," the company advised.

Automated Malware Delivered via Microsoft Teams Exploit Tool Screenshots