A new tool available on GitHub can enable attackers to misuse a recently disclosed vulnerability in Microsoft Teams and automatically deliver malicious files to users' systems. The tool, dubbed TeamsPhisher, operates seamlessly in environments permitting communication between internal and external Teams users.
How did the tool come into existence?
Last month, two researchers at Jumpsec highlighted the issue by explaining that attackers could bypass a security feature in Microsoft Teams.
The feat could be achieved by changing the internal and external recipient ID in the POST request of a message, thus tricking the system into treating an external user as an internal one.
As the issue remained unresolved, a member of the U.S. Navy’s red team lately published the TeamsPhisher exploit tool that would leverage the flaw.
Modus operandi
TeamsPhisher is a Python-based tool that provides a fully automated attack.
The tool first checks a Teams user and verifies that the user can receive external messages.
It then creates a new thread with the target user and sends a message with a Sharepoint attachment link.
This new thread appears in the sender’s Teams interface for manual interaction, ultimately initiating the attack.
It is cited that TeamsPhisher includes other features and optional arguments to refine the attack. These include sending secure file links that can only be viewed by the intended recipient, specifying a delay between message transmissions to bypass the restriction, and modifying outputs to a log file.
Conclusion
While Microsoft is yet to take action to resolve the security issue, it has advised practicing good cybersecurity hygiene, including exercising caution when clicking on links to web pages. It has further warned users to be cautious when opening unknown files or engaging in file transfers. Besides, organizations using Microsoft Teams are advised to disable communications with external tenants if not needed. They can create a list of trusted domains, which would limit the risk of exploitation.