A Microsoft Teams vulnerability allows adversaries to sidestep security controls to plant malware on targeted systems. The Teams attack vector was found by researchers who warn as traditional routes of infection, such as inboxes and websites, become more heavily scrutinized communications platforms such as Teams, Slack and Zoom are becoming a more attractive target.
In a research note posted last week, Jumsec researchers said the issue impacts organizations that use Microsoft Teams in its default configuration. "This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in your organization," wrote Max Corbridge researcher with Jumpsec's Red Team research group.
IDOR Bug
The bug is based on the Teams feature that allows for two businesses running the Teams platform to interact with one another. The collaboration feature does have security measures in place to prevent one business to send the other business a malicious file via Teams. However, Jumpsec found a way to bypass those protections and successfully plant a malicious file on recipients system.
"Microsoft Teams allows any user with a Microsoft account to reach out to ‘external tenancies’... These organizations each have their own Microsoft tenancy, and users from one tenancy are able to send messages to users in another tenancy," he wrote.
The loophole relies on a common hack called insecure direct object references (IDOR), where the file sender switches the internal and external recipient ID on a POST request, researchers said. A POST is used to send data to a server to create/update a resource.
When a file is hosted on a SharePoint domain an adversary can simply craft a malicious URL and send it to a target via Teams and plant malware on the target's computer. The "payload is delivered directly to into the target's inbox" as a file, not a link, researchers said.
The next step in the attack, researchers said, would be to use a social engineering tactic to con the recipient into clicking on the malicious payload.
"[This technique] avoids the now-rightfully-dangerous act of clicking on a link in an email, something that staff have been trained to avoid for years now, greatly reducing the likelihood of a typical staff member detecting this as a phishing attack," Corbridge said.
Researchers said the technique should be of great concern to industry researchers, given the ubiquity of Microsoft Teams, which topped 280 million active daily users in a January estimate of users.
Teaming with Teams Users
Today, many companies have fairly permissive security controls around messaging so outside business partners can message internal employees. However, the researchers said while these external users can’t send files to employees of another organization, the client-side security controls that disallow this can be bypassed.
The researchers said exploitation of the vulnerability was straightforward: they used a traditional insecure direct object reference (IDOR) technique of switching the internal and external recipient ID on the POST request. This lets the attacker send a malicious payload that will then appear in the target’s inbox as a file for download.
Microsoft Teams has emerged as a great app for busy professionals, especially in organizations that have a hybrid or mostly remote workforce, said Damir Brescic, chief information security officer at Inversion6. Brescic said with the news of the newly identified vulnerability, organizations should make sure they have the latest updates for Microsoft Teams.
“Overall, it’s sobering news and should bring a perspective that attackers are clever and that organization have vulnerabilities, and if they haven’t yet done so, they need to enhance their security measures,” said Brescic. “Aspects of security, such as implementing two-factor authentication and taking steps to isolate and protect their most critical assets and business processes via zero trust principles, are crucial.”
We have seen an increase in malicious link and file attacks in Teams, Slack, and Zoom because these channels are less protected, said Patrick Harr, chief executive officer at SlashNext.
“Threat actors have now focused on delivering phishing and malware attacks on multiple channels,” said Harr. “Organizations must close the security gap in collaboration apps across all devices with solutions that stop all malicious link and file threats.”
