Malware Delivery Exploit Found in Microsoft Teams Allows Attacks from External Sources

by | Jun 23, 2023 | News

Malware Delivery Exploit Microsoft Teams Allows Attacks External Sources

Post Views: 12,408

Premium Content

Patreon
Subscribe to Patreon to watch this episode.
Reading Time: 3 Minutes

Security researchers from UK-based security services company Jumpsec have identified a method to deliver malware through Microsoft Teams, bypassing the application’s restrictions on files from external sources. 

Attack Method

The attack method leverages Microsoft Teams’ default configuration, which allows communication with external tenant accounts. While this communication bridge alone could be used for social engineering and phishing attacks, the researchers discovered a more powerful approach that involves sending a malicious payload directly to a target inbox.

Client restrictions preventing external users from sending a fileClient restrictions preventing external users from sending a file (Jumpsec)

Although Microsoft Teams has client-side protections in place to block file delivery from external tenants, the researchers found a way to circumvent these restrictions by manipulating the internal and external recipient IDs in a POST request, tricking the system into treating an external user as an internal one.

By employing this technique, the payload is hosted on a Sharepoint domain, but it appears in the target’s inbox as a file rather than a link. The researchers successfully tested this attack in a covert red team engagement, highlighting its ability to bypass existing security measures and anti-phishing training.

Attack example with the sender posing as a member of the IT teamAttack example with the sender posing as a member of the IT team (Jumpsec)

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

Furthermore, if an attacker registers a domain similar to the target organization’s on Microsoft 365, the messages can be made to appear as if they come from an internal source, increasing the likelihood of the target downloading the file.

The researchers promptly reported their findings to Microsoft, but the company responded that the issue does not meet the bar for immediate servicing, indicating that it does not consider it a high-priority vulnerability.

Trending: Unlocking Windows System Resource Utilization for Digital Forensics Analysis with SRUM Dump

Trending: Offensive Security Tool: PhoneSploit Pro

Organizations using Microsoft Teams and not requiring regular communication with external tenants are advised to disable this feature from the Microsoft Teams Admin Center. If external communication channels need to be maintained, organizations can define specific domains in an allow-list to mitigate the risk of exploitation.

Additionally, the researchers have requested Microsoft to add external tenant-related events to the software’s logging, which could help prevent such attacks in real-time. Users can support this request to urge Microsoft to take action on the vulnerability.

Trending: Chinese Hacking Group Exploits VMware ESXi Vulnerability to Backdoor Windows and Linux VMs

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This