Description
Researchers have recently uncovered a straightforward method of delivering malware to organizations through Microsoft Teams, even with the application”s restrictions on files from external sources.
Microsoft Teams, a widely utilized communication and collaboration platform with an impressive user base of 280 million monthly active users, has become an integral part of many organizations” operations as part of the Microsoft 365 suite of cloud-based services.
Recognizing the widespread adoption of this product across various organizations, Max Corbridge and Tom Ellson, esteemed members of the Red Team at Jumpsec, a reputable security services company based in the UK, conducted an investigation. Their objective was to explore the platform and identify potential vulnerabilities that could allow the delivery of malware by leveraging an account outside the target organization.
Details
In their report, Corbridge explains that the attack on Microsoft Teams takes advantage of the default configuration, which enables communication with accounts outside the organization, commonly known as “external tenants.” While this feature alone could facilitate social engineering and phishing attacks, the method discovered by the researchers is even more potent as it allows for the direct delivery of a malicious payload to a targeted inbox. Although Microsoft Teams incorporates client-side protections to prevent file delivery from external tenant accounts, the identified approach bypasses these security measures.
However, the Red Team members from Jumpsec discovered a way to circumvent this restriction. By modifying the internal and external recipient ID in the POST request of a message, they were able to deceive the system into treating an external user as an internal one. In this modified approach, the payload is hosted on a SharePoint domain, and the target unknowingly downloads the malware from this domain. Interestingly, despite being hosted on SharePoint, the payload appears in the target”s inbox as a file rather than a link, increasing the likelihood of it being opened and executed.
To validate the effectiveness of this technique, the researchers conducted real-world tests during covert red team engagements. They were able to successfully deliver a command-and-control payload into the target organization”s inbox, highlighting the potential risks associated with this vulnerability. By exploiting this vulnerability, attackers can effectively evade established security measures and bypass the guidance provided through anti-phishing training. This grants them a relatively straightforward method to infect any organization that employs Microsoft Teams with its default configuration.
Additionally, if the attacker registers a domain that closely resembles the target organization”s domain within Microsoft 365, they can manipulate their messages to create the illusion of originating from an internal source rather than an external tenant. This deceptive tactic significantly increases the chances of the target unwittingly downloading the malicious file, as it appears to come from a trusted internal sender.
The combination of these techniques heightens the risk for organizations using Microsoft Teams, emphasizing the importance of promptly addressing this vulnerability and implementing additional security measures to safeguard against such attacks.
Remediation
Ensure that Microsoft teams is updated to the latest version.
Enable multifactor authentication which adds an extra layer of security by verifying the identity of users using different methods such as biometrics or face recognition.
Configure access control and create control rules that allow or deny external communication and access.
Always scan attachments and scrutinize links received in your Team chat even if you think it is from a trusted internal sender.
Install reputable malware software from a trusted source such as Kaspersky and run scheduled scans to keep your device malware free.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Microsoft Teams bug allows malware delivery from external accounts.pdf
References
Toulas, B. (2023, June 22). Microsoft Teams bug allows malware delivery from external accounts. Bleeping Computer. Retrieved from:
https://www.bleepingcomputer.com/news/security/microsoft-teams-bug-allows-malware-delivery-from-external-accounts/
Brooks, R. (2019, June 12). How to Prevent Malware Attacks: 10 Security TIPS. Netwrix. Retrieved from:
https://blog.netwrix.com/2020/06/12/malware-prevention/
Houssier, E. (2023, February 28). Microsoft Teams Security: IS YOUR DATA SECURE?. Powell Software. Retrieved from:
https://powell-software.com/resources/blog/microsoft-teams-security/#:~:text=Enable%20two%2Dfactor%20authentication%20and,can%20exploit%20if%20it”s%20unsecured