A recent discovery by researchers from JUMPSEC Labs’ Red Team has shed light on a critical bug in the latest version of Microsoft Teams that allows external sources to send files to an organization’s employees, bypassing the application’s built-in security measures. This vulnerability could potentially open the door for threat actors to deliver malware into target organizations without resorting to complex and costly phishing campaigns.
Max Corbridge and Tom Ellson, researchers from JUMPSEC Labs, found a way to exploit the Microsoft Teams External Tenants feature, which enables the sending of malware-infected files to an organization’s employees. This flaw has far-reaching implications, as it affects every organization using Teams in its default configuration. It presents threat actors with an opportunity to bypass traditional payload delivery security controls, making it a serious concern.
Microsoft Teams is a widely used hosted messaging and file-sharing app, already utilized by an estimated 91% of Fortune 100 organizations before the Covid-19 pandemic. The pandemic further expanded its usage, as many organizations turned to Teams to facilitate communication and collaboration with their remote workforce. While Teams is primarily intended for internal communication within an organization, Microsoft’s default configuration allows users from outside the company to reach out to its employees. This introduces the risk of threat actors leveraging the app to deliver malware.
The exploit works by bypassing client-side security controls that prohibit external tenants from sending files to internal users. By manipulating the internal and external recipient ID on the POST request, Corbridge and Ellson were able to easily circumvent this control within 10 minutes. The payload is then hosted on a SharePoint domain and appears as a file in the target’s inbox, rather than a link. This method proved to be a simpler and more user-friendly alternative to traditional phishing tactics during a red-team exercise.
The bug exposes a potentially lucrative avenue for threat actors, as it eliminates the need for socially-engineered email messages with malicious links or files. Instead, they can easily purchase a domain similar to the target organization’s and register it with Microsoft 365, creating a legitimate Teams tenancy. This removes the requirement to build complex phishing infrastructure and relies on employees falling for phishing tactics. Furthermore, the payload delivered through this exploit inherits the trust reputation of SharePoint, adding another layer of credibility for threat actors.
While the researchers reported the vulnerability to Microsoft, the company stated that it did not meet the criteria for immediate servicing. Consequently, organizations must take their own measures to mitigate this vulnerability. One option is to review if there is a business requirement for external tenants to message staff and, if not, remove this option in the Microsoft Teams Admin Center. Alternatively, organizations that require communication with external tenants can change the Team security settings to only allow communication with specific allowed domains.
Administrators can also educate staff about the potential risks associated with productivity apps like Teams and provide guidance on avoiding compromise. Additionally, organizations can utilize web proxy logs to better understand staff members accepting external message requests, providing valuable telemetry for potential mitigation strategies.
In conclusion, the bug in Microsoft Teams that allows external sources to send files to an organization’s employees represents a significant vulnerability that threat actors can exploit. While Microsoft has not prioritized addressing this issue, organizations can proactively implement mitigations and protections to safeguard against potential attacks. It is crucial for organizations to stay vigilant and take appropriate measures to ensure the security and integrity of their communication platforms.