Wednesday, 05 July 2023 12:17

Microsoft Teams Flaw Leveraged by New Red Team Tool to Push Malware

Written by

Reading time is around minutes.

There is nothing like an unresolved security flaw in a major product. Especially when the flaw is one that the developer knows about but does not consider important enough to fix in a timely manner. If the flaw is in a commonly used product, it is even better. In this case we are talking about a flaw we covered back on the 23rd of June. This is a bug that can allow an attacker to mimic an internal sender to get around file handling from external senders. In our opinion, it is significant, but Microsoft has no plans to remediate it any time soon. I guess they have other things on their plate like Privacy Investigations in the EU (Over Teams and Office) and the pending Activision/Blizzard deal in court in the US.

No matter the reason for the delay the flaw is there and could be open to attackers for the foreseeable future. A red team member for the US Navy thought it would be a good time to create a handy tool to streamline the attack since it will be there for a while. The tool is called TeamsPhisher and has been written in Python. TeamsPhisher allows you to fully automate the attack. All you have to do is give it the payload and a list of Teams users to send it to. The tool will verify that the users are valid, then create the thread with SharePoint link to your payload. There is even a preview mode to help verify the list of targets. It is quite the tool with optional features to allow rate limit bypass, sending secure links so that only the intended target can view or open the file and more. You will need a valid Microsoft Business account that includes SharePoint and Teams, but that should not be difficult for an attacker to get access to. After all Business Email Compromise is still one of the leading attacks, it would be very easy to not only send out the next round of phishing emails, but also leverage Teams to gain access to the next target.

As we mentioned in our previous coverage, there are ways to block this attack. Cutting off external access is one good way as then the external connection cannot be made. If you must connect to external domains, limit the connection to only those that are trusted and manually allowed to make the connection. Adjusting EDR solutions to prevent a pivot from an Office Application (creating a sub-process) can also be effective here.

Still in the end, Microsoft must fix this and stop treating it as if this is not a serious security issue in an application that they push heavily onto not only businesses, but also onto consumers. As there is now a tool available to attackers that allows for automation of this attack, maybe, just maybe, Microsoft will devote some engineering time to fix this so companies are not wide open to this attack vector. Microsoft does have the talent and capability to remediate this flaw and they could do it quickly. However, this is Microsoft so who knows what they might do. Until we there is a patch in place for this, we recommend making users of Teams aware of the risks involved with Teams and also adjusting your existing settings to either block external connections or limit who can connect.

Read 911 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.