Table of Contents
Summary
A vulnerability within Microsoft Teams was found by security researchers that allows for the delivery of links and binaries using Microsoft Teams with an account outside the target organization.
Understanding the attack
Microsoft Teams allows users to communicate with other Teams users, even if they are not in the same organization. This is done by default, without any additional configuration required. It is important to note that Microsoft Teams is intended to block file delivery from external tenant accounts.
Two Jumpsec Red Team members discovered that they could bypass the restriction by modifying the internal and external recipient IDs in the POST request of a message. This tricked the system into believing that the external user was an internal one, allowing them to send files to the target user. This attack is particularly dangerous because it bypasses existing security measures and anti-phishing training advice. This means that even organizations that have taken steps to protect themselves from phishing attacks are still vulnerable to this attack.
The bad actor can even register a domain that is similar to the target organization's domain on Microsoft 365, their messages will appear to come from a legitimate source within the organization. This will make it more likely that the target will download the file, even if they are aware of phishing scams.
Attack in action [POC]
To replicate this attack, we are going to make use of a tool called TeamsPhisher, this tool was created by a member of the U.S. Navy’s red team. TeamPhisher automates the exploitation of this vulnerability by automatically changing the ID in the POST request of a message.
Firstly, TeamsPhisher ensures the presence of the intended recipient and confirms their capability to receive external messages, which is essential for the success of the attack. Then it prompts the attacker for authentication, this tool supports MFA login Aswell, as seen above.
Next, it initiates a new communication channel with the target, delivering a message containing a SharePoint attachment link. The created thread is visible in the sender's Teams interface, allowing for possible manual engagement. In this case we sent a message with a sense of urgency to convince the victim to open it and attached a malicious binary containing malware to it.
Mitigation
ThreatLocker has preventive measures in place to stop this attack from executing with an additional alerting aspect through our ThreatLocker Ops product.
The binary is not allowed to execute on the victim's machine as per the ThreatLocker Default Deny Policy and approach. As seen above, ThreatLocker is also able to alert admins through ThreatLocker Ops policies. If you do wish to completely stop external messages from reaching your tenants, it is recommended that you use Internet Ringfencing™ to only allow communication from your organization's SharePoint and Microsoft Teams. You may also use Microsoft Teams Admin Center and disable the ability to communicate with Teams users whose accounts aren't managed by your organization, as seen below.