A bug in the latest version of Microsoft Teams allows for external sources to send files to an organization’s employees even though the application typically blocks such activity, researchers have found. This give threat actors an alternative to complex and expensive phishing campaigns to deliver malware into target organizations — but Microsoft won’t be addressing it as a priority.
Researchers Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC Labs’ Red Team discovered a way to exploit the Microsoft Teams External Tenants feature to slip malware into files sent to an organization’s employees, thus bypassing nearly all modern anti-phishing protections, they revealed in a blog post published this week.
“This vulnerability affects every organization using Teams in the default configuration,” Corbridge wrote in the post. “As such it has huge potential reach and could be leveraged by threat actors to bypass many traditional payload delivery security controls.”
Teams is Microsoft’s widely used hosted messaging and file-sharing app, which already was used by an estimated 91% of Fortune 100 organizations before the Covid-19 pandemic, according to Microsoft financial data. During the pandemic, the use of Teams expanded even further, as many organizations came to rely on it to communicate and collaborate with their remote workforce.
Though Teams is typically used for communication between employees within the same organization, Microsoft’s default configuration for teams allows users from outside the company to reach out to its employees, the researchers said. This is where the opportunity arises for threat actors to exploit the app to deliver malware, they said.
This can be done by bypassing client-side security controls that prevent external tenants from sending files —which in this case, would be malicious — to internal users, the researchers explained.
How the Microsoft Teams Exploit Works
The vulnerability lies in a capability that allows any Microsoft Teams allows user with a Microsoft account to reach out to what are called “external tenancies,” the researchers explained. In this case, these tenancies would be any business or organization using Microsoft teams, which each have their own tenancy.
“Users from one tenancy are able to send messages to users in another tenancy,” Corbridge explained. “When doing so, an ‘External’ banner appears alongside the name.”
Though some employees might not click on a message from an external source, many would, something that Corbridge said the researchers already proved as part of a red-team engagement aimed at gaining an initial foothold in a client’s environment.
“This is especially true if the malicious party is impersonating a known member of your organization and has purchased and registered a brand-impersonation domain, as red teams often do,” he noted in the post.
Though external tenants in Teams are blocked from sending files to staff in another organization — unlike their ability to send files between employees in a single organization or tenancy — Corbridge said he and JUMPSEC’s head of offensive security Tom Ellson were able to bypass this control within 10 minutes.
“Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request,” Corbridge explained in the post. “When sending the payload like this, it is actually hosted on a SharePoint domain and the target downloads it from there. It appears, however, in the target inbox as a file, not a link.”
The researchers tested their technique in a mature client environment during a red-team exercise last month and confirmed that it “allowed for a much more simple, reliable, and user-friendly payload delivery avenue than traditional phishing journeys,” he wrote.
A Dangerous & Impactful Collaboration App Bug
The bug provides a “potentially lucrative avenue” for threat actors because of how straightforward it is for them to deliver malware to organizations without the need to craft socially-engineered email messages with malicious links or files and hope employees take the bait and click on them, Corbridge wrote.
Threat actors can easily buy a domain similar to a target organization’s and register it with Microsoft 365, thus setting up a legitimate Teams tenancy and not having to build complex phishing infrastructure and then rely on employees already savvy to phishing tactics to make a mistake, he said.
By exploiting the flaw, a malicious payload is served via a trusted Sharepoint domain as a file in a target’s Teams inbox. “As such, the payload inherits the trust reputation of Sharepoint, not a malicious phishing website,” Corbridge wrote.
Threat actors can even use social engineering and start a conversation with an employee, which can lead to participation in a Teams call, the sharing of screens, and more, allowing them to conduct even more nefarious activity or even deliver the payload themselves, he added.
No Patch Coming: Mitigations & Protections
The researchers reported the vulnerability to Microsoft, which validated its legitimacy but said “it did not meet the bar for immediate servicing,” Corbridge wrote.
To mitigate the bug themselves, organizations can review if there is a business requirement for external tenants to have permission to message staff and, if this is not the case, to remove the option to do so in Microsoft Teams Admin Center > External Access.
If an organization does require communication with external tenants but has only a handful of organizations with which employees regularly communicate, administrators can also use this field to change the Team security settings to only allow communication with certain allow-listed domains, the researchers said.
If neither of these mitigation options is viable for an organization, administrators can try educating staff on the possibility of productivity apps such as Teams, Slack, Sharepoint, and others for launching social-engineering campaigns similar to the ones found in email messages to help them avoid compromise.
Organizations can also use Web proxy logs to provide alerts or at least baseline visibility into staff members accepting external-message requests, Corbridge added.
“The difficulty, at present, is turning this into a useful piece of telemetry with usernames, and the message in question,” but can provide some idea of how common this transaction is within an organization for potential mitigation, he acknowledged.