New Tool Exploits Microsoft Teams Bug, Posing Malware Delivery Risk.

July 10, 2023: A security vulnerability in Microsoft Teams has been exploited by a recently published tool, posing a threat to users. The tool, TeamsPhisher, takes advantage of an unresolved security issue that allows bypassing restrictions on incoming files from external users.

By leveraging an application-level problem highlighted by security services company Jumpsec, an attacker can circumvent Microsoft Teams’ file-sending limitations and deliver malware from an external account.

The tool achieves this by manipulating the ID in the POST request of a message, tricking the client-side protections of Microsoft Teams into treating an external user as an internal one. TeamsPhisher, a Python-based utility, automates the attack process by incorporating the techniques identified by Jumpsec researchers, along with methods developed by Andrea Santese and authentication functions from Bastian Kanbach’s ‘TeamsEnum’ tool.

TeamsPhisher simplifies the attack procedure by allowing users to provide an attachment, a message, and a list of target Teams users. It proceeds to upload the attachment to the sender’s Sharepoint and systematically iterates through the list of targets. To ensure the attack’s success, TeamsPhisher verifies the target user’s existence and ability to receive external messages. The tool creates a new thread with the target, sending them a message containing a Sharepoint attachment link. This thread appears in the sender’s Teams interface for potential manual interaction.

To utilize TeamsPhisher, users must possess a Microsoft Business account with a valid Teams and Sharepoint license, which is typical for major companies. The tool offers a “preview mode” for verifying target lists and reviewing the appearance of messages from the recipient’s perspective. Additionally, optional arguments and features enhance the attack’s effectiveness, including sending secure file links exclusive to the intended recipient, specifying transmission delays to bypass rate limiting, and generating log files for tracking purposes.

While the issue exploited by TeamsPhisher remains unresolved, Microsoft has indicated that it does not meet the criteria for immediate servicing. Despite the tool’s original purpose for authorized red team operations, threat actors can exploit it to deliver malware to target organizations discreetly. Until Microsoft takes action, organizations are strongly advised to turn off communications with external tenants if unnecessary. Additionally, creating an allow list with trusted domains can mitigate the risk of exploitation.