A recently discovered vulnerability in Microsoft Teams could potentially allow attackers to deliver malware to users-devices, even if they are considered external. The vulnerability, discovered by IT security researchers at Jumpsec, could be exploited to bypass traditional security protections, such as those against phishing or malware, to push malicious files to the devices of Microsoft Teams users.
Files From External Sources as a Door to Malware
Microsoft Teams, by default, allows communication requests from external tenants. While sending files from an external account to an internal account is impossible, Jumpsec discovered a vulnerability that allows external users to send files directly to internal users. The files are displayed alongside the message, which can be a specially crafted message to get the target to open the file on the machine.
According to Jumpsec, “Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request.” The file that gets delivered is hosted on a Sharepoint domain, but the inbox of the target displays it as a file, not a link. The file is downloaded when the user activates it.
Impact and Microsoft's Response
The vulnerability affects all organizations that use Microsoft Teams in the default configuration. Organizations may mitigate the issue by disallowing external users from sending messages to staff members. This can be done under Microsoft Teams Admin Center > External Access. However, not all organizations may be able to disable this option, as they may require communication with external tenants. These organizations may use the allow-list to add domains from these organizations so that communication from all other domains is blocked.
Jumpsec reported the vulnerability to Microsoft prior to releasing the information. Microsoft confirmed its existence, but told Jumpsec that it “did not meet the bar for immediate servicing.”
Recommendations and Remediation
System administrators may want to limit external communication options in the Microsoft Teams administrative interface to mitigate the vulnerability. If external channels of communication need to be maintained, organizations can define specific domains in an allow-list, to lower the risk of exploitation.
Jumpsec's researchers also submitted a request to add external tenant-related events in the software's logging, which could help prevent attacks as they unfold. They also suggested monitoring of external message requests, which is currently limited. The researchers have detected a URI that may be monitored to detect when a Teams user accepts a request from an external source. “Whilst not a perfect solution, it would be possible to use web proxy logs to alert on, or more likely gain some baseline visibility into, staff members accepting external message requests. In EMEA, when a Teams user accepts a message request from an external tenant it sends a POST request to a unique URI which you can monitor:” /api/mt/emea/beta/userSettings/acceptlist/manage
