A proof-of-concept program has been recently published that exploits an unresolved security vulnerability in Microsoft Teams. The program, which was released by the U.S Navy’s red team allows the bypass of Microsoft Teams file sending restraints to deliver malware from an external account. This exploit is possible because the application can be tricked into treating an external user as an internal one simply by changing the ID in the POST request of a message. The program is written in python and is called TeamsPhisher. “Give the program an attachment, a message, and a list of target Teams users. And it will upload the attachment to the sender’s SharePoint, and then iterate through the list of targets.” TeamsPhisher requires that users have a Microsoft Business account, so your personal hotmail and outlook accounts won’t work. And have a valid Teams and Sharepoint license. While the program is meant for security researchers, Threat actors can also leverage it to deliver malware to target organisations. Currently there is no fix for this available, so organisations are strongly advised to disable communications with external tenants if not needed, or create an allow-list with trusted domains to limit the risk of exploitation.
https://github.com/Octoberfest7/TeamsPhisher
This segment was created for the It’s 5:05 podcast