This preamble brings us to the latest flavor of vulnerability that could allow an attacker to insert malware into an organization that might not have the best security practices in place. This pool of targets, sadly, is most of the Small to Medium Business (SMB) market and many enterprises as well. The flaw exists in how the service handles external accounts but is compounded by how integrated SharePoint is with Teams.

According to researchers at Jumpsec Labs, they found a way to get around the normal protections in place for external organization file sharing. If the target group has their security settings for Teams at default, it allows for contact from any external organization that has their own Teams instance, but blocks files from external organizations. Now this access can still be used for social engineering as far too many people will still respond to and click on links in a message that says it is not from a trusted source. In fact, I have seen people take things clearly marked as Phishing from quarantine, move them to their inbox and then click on the links in that same email. Back to the attack, in this case the Jumpsec team was able to switch the internal and external recipient ID on the Post request which made Teams think the that the external sender is now an internal one. This now allows the attacker to send files to the target. How fun, right?

To add to the attack, if the attacker hosts the file from SharePoint it will look like a file in the inbox and not a link (as this is how Teams Handles the integration with SharePoint). This makes the file look even more like a local file to the target, making the chances of a successful download much higher. As we already know attackers will register domains that are similar to a target organization and will also use either compromised or a throw away MS365 tenant as part of an attack chain this type of attack is likely to include that type of preparation (as it can make things easier for the attacker).

Additional implications of this is that when a threat actor sends the initial message to the target and the message shows up in the email inbox with what looks like a SharePoint file. There is an intrinsic trust on the part of the recipient. It is SharePoint, it is not a link, it looks like it is from someone inside my organization. Right there you have pretty much gotten around most social engineering training (which needs to be updated anyway). Extending this line of thought further, if the attackers are clever (which they are) they can also start up a conversation via teams first, set meetings, make calls, share screens, and then push out the malware payload.

Defending against this is also fairly simple. First, unless you have the need to allow just anyone to communicate with your organization via teams, turn external connections off. If you just need to use teams to connect with external organizations, change the setting to only allow domains that you add to a trusted list and block everything else. These settings are found in the Teams Admin Center under External accounts. We also highly recommend having good EDR on all endpoints as well as update your security awareness training to include how to identify sophisticated social engineering attacks. The new training should highlight attacks that leverage collaboration and communication services like Teams, Slack, etc. As attackers either compromise existing organizations and leverage them for follow-on attacks or use features in these productivity tools for initial attacks, users and security teams need to be more alert and aware of how these efforts begin and work.

For now, Microsoft does not see this as enough of a flaw to do anything about it. They responded to Jumpsec telling them they are aware of the issue, but it is not a priority. This means that you are on your own for now. Stay safe out there.