New tool ‘TeamsPhisher’ exploits vulnerability in Microsoft Teams, raises concerns about communication platform security

Devesh Beri

Teamsphisher Exploits Vulnerability In Microsoft Teams

According to a recent post by DarkReading, GitHub now hosts a recently released tool, “TeamsPhisher,” designed to exploit a recently exposed vulnerability in Microsoft Teams. This tool enables potential attackers to efficiently distribute malicious files to specific users within an organization utilizing Teams.

Within environments where internal Teams users can communicate with external Teams users (or tenants), TeamsPhisher becomes operational. It eliminates the need for conventional phishing or social engineering techniques by allowing attackers to deliver payloads to targeted individuals’ inboxes directly.

According to Alex Reid, the developer of TeamsPhisher and a member of the US Navy’s Red Team, the tool’s functionality is straightforward. Users can furnish TeamsPhisher with an attachment, a message, and a list of target Teams users. The tool then uploads the attachment to the sender’s Sharepoint and systematically iterates through the provided target list.

Meanwhile, if you are unaware, Teams released 45 new features, along with the profanity filtering control feature, last month.

Fully Automated Cyberattack Flows

Researchers at JUMPSEC Labs disclosed a technique that has now been incorporated into TeamsPhisher, allowing attackers to bypass a security feature in Microsoft Teams. Although Teams permits communication between users from different organizations, it restricts file sharing between them.

The technique, known as Insecure Direct Object Reference (IDOR), enables attackers to manipulate a “direct object reference” within a web application, such as a database key or query parameter. JUMPSEC researchers Max Corbridge and Tom Ellson successfully exploited an IDOR issue in Teams by swapping the IDs of internal and external recipients in a POST request. This manipulation allows the payload to be hosted on the sender’s SharePoint domain and delivered directly to the victim’s Teams inbox.

This vulnerability affects all organizations using Teams in the default configuration, and attackers can leverage it to bypass anti-phishing measures and other security controls. Microsoft acknowledged the issue but did not prioritize an immediate fix.

TeamsPhisher Incorporates Multiple Attack Techniques

TeamsPhisher, developed by Reid, incorporates techniques from JUMPSEC and previous research by Andrea Santese and TeamsEnum. The tool aims to leverage Microsoft Teams for initial access by exploiting a vulnerability. It follows a workflow that involves enumerating a targeted Teams user, creating a new thread, and delivering a message and attachment to the recipient’s inbox without triggering the usual security prompts.

Microsoft has not yet responded to inquiries about the impact of TeamsPhisher on their decision to address the bug discovered by JUMPSEC. JUMPSEC advises organizations to assess the necessity of enabling communication between internal Teams users and external tenants and suggests tightening security controls or removing the option altogether if it is not regularly required.