Microsoft’s Teams collaboration platform contains a vulnerability that can be exploited with a malicious GIF enabling an attacker to take over a company’s Teams accounts.
The issue resides in two Teams sub-domains that were vulnerable to takeover, aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com, said Cyberark researchers. Once taken over the attacker can use the sub-domain to obtain a legitimate certificate eventually allowing the threat actor to have access to a company’s Teams account base, scrape data or take over accounts.
“If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim’s browser will send this cookie to the attacker’s server and the attacker (after receiving the authtoken) can create a skype token. After doing all of this, the attacker can steal the victim’s Teams account data,” the researchers said.
Cyberark notified Microsoft of the issue and a patch has been issued
The trick an attacker can use is a malicious GIF, as opposed to a plain link which many people now know not to click on. The process starts by sending an image to a victim with an “src” attribute set to the compromised sub-domain via Teams chat. When the target opens this message, the victim’s browser will try to load the image and this will send the authtoken cookie to the compromised sub-domain and thus to the attacker controlling the sub-domain. Ultimately this provides the attacker a pathway to scrape all the victim’s data.