Microsoft Teams has a security flaw that allows attackers to bypass file-sending restrictions and deliver malware to unsuspecting users. A tool called TeamsPhisher, developed by a U.S. Navy red team member, automates this attack and makes it easier for hackers to target organizations.
TeamsPhisher, written in Python, combines the work of several security researchers who discovered and exploited the flaw in Microsoft Teams. The flaw stems from the fact that the application relies on client-side protections that can be fooled by changing the ID in the POST request of a message.
The tool works by taking an attachment, a message, and a list of target Teams users. It then uploads the attachment to the sender's SharePoint and sends a message with a SharePoint attachment link to each target. The message appears as coming from an internal user, even if the sender is an external tenant.
“Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender's Sharepoint, and then iterate through the list of targets,” explains the description from Alex Reid, the developer of the tool.
How TeamsPhisher Works and Mitigation
TeamsPhisher also checks if the target user exists and can receive external messages, which is a prerequisite for the attack to work. It creates a new thread with the target, which can be used for manual interaction by the sender. It supports Microsoft Business accounts with MFA, Teams and SharePoint licenses.
The tool has some additional features and options that can help refine the attack. For example, it can send secure file links that only the intended recipient can view, specify a delay between messages to avoid rate limiting, and write outputs to a log file. The tool also has a “preview mode” that allows users to verify their target lists and see how their messages look like from the recipient's perspective.
Microsoft has been aware of this issue since last month when UK-based security company Jumpsec reported it. However, the company said that it did not meet the bar for immediate servicing. BleepingComputer contacted Microsoft twice for a comment but did not receive a reply.
TeamsPhisher was designed for authorized red team operations, but it can also be used by malicious actors to deliver malware to unsuspecting organizations. Until Microsoft fixes this issue, organizations are advised to disable communications with external tenants if not needed or create an allow-list with trusted domains.
If your organization uses Microsoft Teams in the default configuration, you are vulnerable to this attack. You can protect yourself by blocking external users from sending messages to your staff. To do this, go to Microsoft Teams Admin Center > External Access and turn off the option. But what if you need to communicate with some external tenants? Don't worry, you can use the allow-list to add the domains of the organizations you trust. This way, you can block all other domains and prevent unwanted messages.