A recently discovered bug in Microsoft Teams poses a serious threat to organizations, as it allows attackers to deliver malware directly into employees’ inboxes. Security researchers from Jumpsec found that the default configuration of Microsoft Teams allows users from outside an organization to reach out to staff members. This vulnerability can be exploited through a social engineering pretext, making it highly likely for a malware delivery attack to succeed.
The permissive security controls of many organizations enable external tenants, such as Microsoft 365 (M365) users from other organizations, to message their employees. This is intended to facilitate communications with members of other organizations and service providers. However, Jumpsec researchers Max Corbridge and Tom Ellson discovered that client-side security controls blocking the sending of files to employees of another organization can be bypassed.
By exploiting this vulnerability, external tenants or attackers can send a malicious payload that appears as a file for download in the target’s inbox. To increase the chances of a successful attack, the attacker could register a domain similar to the target organization’s domain, register it with M365, and use an email address that mimics a known member of the organization. Although the incoming message will be tagged as “External” and the target will be warned to be cautious, many employees may disregard the warning.
Corbridge emphasized that when combined with social engineering tactics via Teams, this vulnerability becomes even more dangerous. Attackers can easily start a back-and-forth conversation, initiate a call, and share screens. For example, during a real engagement, an IT technician pretext was used to ask the target to jump on a call for a critical software update. Exploiting this vulnerability allowed the payload to be delivered and implicitly trusted by the target due to the full social engineering attack.
One advantage of using Microsoft Teams as a vehicle for malware delivery is that it bypasses modern anti-phishing security controls, especially those related to email. While employees have been cautioned against clicking on links or downloading attachments from unsolicited emails, they often trust identities and messages received via Teams. Attackers have recognized this trust and are exploiting it to their advantage.
The researchers have reported their findings to Microsoft, but the company has deemed the vulnerability as not requiring immediate servicing. However, it is crucial for organizations to take preventive measures. Jumpsec advises organizations to remove the option of external tenants being able to contact employees if it is not needed. Alternatively, organizations can change the security settings to only allow communication with specific domains listed in an allow-list. It is also essential to educate staff about the possibility of productivity apps like Teams, Slack, or SharePoint being used by attackers for social engineering attacks.
Detecting attempts to exploit this vulnerability may be challenging since Microsoft does not currently provide logs that cover potentially malicious events originating from external tenants. Relying on web proxy logs to alert on staff members accepting external message requests offers limited insight.
As of now, it is crucial for organizations to proactively address this vulnerability by implementing the recommended security measures and educating their employees about the potential risks associated with communication platforms like Microsoft Teams. It is hoped that Microsoft will prioritize addressing this vulnerability and provide necessary updates in the near future to mitigate this significant security concern.