A new tool has emerged on GitHub that takes advantage of a recently identified vulnerability in Microsoft Teams, allowing attackers to automatically deliver malicious files to targeted Teams users within an organization. The tool, called “TeamsPhisher,” operates in environments where an organization allows communication between internal and external Teams users. It bypasses traditional phishing or social engineering techniques, instead delivering payloads directly to victims’ inboxes.
TeamsPhisher, developed by Alex Reid, a member of the US Navy’s Red Team, requires an attachment, a message, and a list of target Teams users. It uploads the attachment to the sender’s SharePoint and systematically iterates through the list of target users. By incorporating a technique discovered by researchers at JUMPSEC Labs, the tool circumvents a security feature in Microsoft Teams that blocks file sharing between users from different organizations.
JUMPSEC researchers Max Corbridge and Tom Ellson found a way to bypass this restriction using the Insecure Direct Object Reference (IDOR) technique. IDOR bugs enable attackers to manipulate a “direct object reference,” such as a database key or query parameter, to maliciously interact with a web application. Corbridge and Ellson exploited an IDOR issue in Teams by switching the ID of the internal and external recipients when submitting a POST request. This allowed them to host payloads on the sender’s SharePoint domain and deliver them to the victim’s Teams inbox. They described the vulnerability as affecting all organizations using Teams in a default configuration and capable of bypassing anti-phishing mechanisms and other security controls. Although Microsoft acknowledged the issue, they did not consider it an immediate priority for fixing.
Reid’s TeamsPhisher tool incorporates JUMPSEC’s techniques and earlier research conducted by independent researcher Andrea Santese on how to exploit Microsoft Teams for initial access. Additionally, it includes techniques from TeamsEnum, a tool for enumerating Teams users previously released on GitHub by a researcher from Secure Systems Engineering GmbH.
TeamsPhisher begins by enumerating a target Teams user and verifying their ability to receive external messages. It then creates a new thread with the target user, utilizing a technique that bypasses the usual “Someone outside your organization messaged you, are you sure you want to view it” splash screen. The tool sends the specified message to the user along with a link to the attachment in SharePoint. The sender can interact with the created thread manually if necessary.
It remains unclear how the release of TeamsPhisher has affected Microsoft’s stance on remedying the bug identified by JUMPSEC. When contacted for comment, Microsoft did not immediately respond. However, JUMPSEC has advised organizations using Microsoft Teams to carefully assess the need for enabling communication between internal Teams users and external tenants. If such communication is unnecessary, tightening security controls and removing the option altogether is recommended.
The emergence of TeamsPhisher highlights the importance of continuous vigilance in identifying and addressing vulnerabilities across all communication platforms. As organizations increasingly rely on collaboration tools like Microsoft Teams, it is crucial to stay updated on potential security risks and proactively implement measures to protect against evolving cyber threats.