- Aug 17, 2014
A newly discovered vulnerability in Microsoft Teams allows attackers to push malware onto the devices of other Microsoft Teams users, even if they are considered external.
IT security researchers at Jumpsec have discovered a new vulnerability in Microsoft Teams. The vulnerability may be exploited to bypass traditional security protections, e.g., against phishing or malware, to push malicious files to the devices of Microsoft Teams users.
Jumpsec discovered a vulnerability in Microsoft Teams that allows external users to send files directly to internal users. The files are displayed alongside the message, which can be a specially crafted message to get the target to open the file on the machine.
The researchers explain: "Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request [...]".
The file that gets delivered is hosted on a Sharepoint domain, but the inbox of the target displays it as a file, not a link. The file is downloaded when the user activates it.
Jumpsec notes that the vulnerability is a " potentially lucrative avenue for threat actors to deliver payloads" as it bypasses anti-phishing security controls. An attacker would have to buy a domain and register it with M365, but they would not have to use "mature domains, with web servers, landing pages, CAPTCHAs, domain categorisation, and URL filtering".