An exploitable loophole in Microsoft’s Teams communication platform dubbed TeamsPhisher, which allows an adversary to bypass security controls and plant malware on targeted systems, will not be receive a patch. However, on Wednesday Microsoft said it is advising Teams administrators to review the tool’s settings following concerns the default configuration leaves organizations vulnerable to malware.
The company has not said it has any plans to address the vulnerability, which was highlighted by researchers last month and is exploitable via the newly published red-teaming tool TeamsPhisher.
The vulnerability, discovered last month by Jumpsec researchers, allows Teams accounts from an outside organizations to bypass client-side security controls and send malicious payloads directly to a target’s inbox.
On July 3, U.S. Navy Red Team technical lead Alex Reid published a Python tool on GitHub called TeamsPhisher that draws on Jumpsec’s findings and some earlier work on Teams vulnerabilities to “yield a robust, customizable, and efficient means for authorized Red Team operations to leverage Microsoft Teams for phishing for access scenarios”.
“Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender's Sharepoint, and then iterate through the list of targets,” Reid said on GitHub.
The exploit is based on a well-known access control vulnerability known as insecure direct object references (IDOR), where the file sender switches the internal and external recipient ID on a POST request. This enables an attacker to send a malicious payload that will appear in the target’s inbox as a file for download.
Confounded configuration issues!
The exploit is only possible when Teams is configured to allow users to communicate with “external tenancies” – Teams users in other organizations – and the tool is set to this configuration by default.
Writing about the vulnerability last month, Jumpsec researcher Max Corbridge said he saw its exploitation as “a potentially lucrative avenue for threat actors to deliver payloads” because it “bypasses nearly all modern anti-phishing security controls”.
Corbridge said Jumpsec reported the vulnerability to Microsoft but was told it “did not meet the bar for immediate servicing”.
“I think this is a shame, but was nonetheless expected,” he wrote.
Microsoft addresses issue
Asked about the vulnerability on Wednesday, a Microsoft spokesperson said the company was “aware of reports that security researchers developed tools seeking to bypass security in Microsoft Teams by introducing content from external sources, outside a user's enterprise tenant”.
The company did not indicate it was looking to patch the vulnerability.
“The recommended action for organizations using Microsoft Teams who do not need to maintain regular communication with external tenants is to disable this feature, or limit external access to select users, as needed, via the Microsoft Teams Admin Center, as a security best practice,” the spokesperson said.
In last month’s research note revealing the how Jumpsec had exploited the vulnerability to successfully deliver a payload during a red team exercise, Corbridge provided similar advice.
He said organizations should first review whether it was necessary for their staff to receive Teams messages from external tenants. If it was not, they should ensure the feature was deactivated.
“If you do require communication with external tenants, but there are only a handful of organisations that you regularly communicate with, then you can change the security settings to only allow communication with certain allow-listed domains,” he said.
“This would be a good middle ground for shutting down this attack path, without affecting your business operations.”
He said if an organization needed to keep its Teams communications open to external parties, their staff had to be educated about the security risks associated with all productivity applications.
“It is not just email that is being abused any more, and yet it seems, in my personal opinion, that when using alternative avenues to email there is an inherent trust, due to the rich history connecting phishing and emails.”