A security flaw in the latest version of Microsoft Teams has been discovered by Max Corbridge and Tom Ellson, members of JUMPSEC’s Red Team. This vulnerability has the potential to allow malware to be injected into organizations that rely on the default configuration of Microsoft Teams.
Microsoft Teams is a popular platform used by more than 280 million active users every month for communication and collaboration within organizations. However, this newly discovered flaw raises concerns about the security of the platform.
The flaw enables threat actors to bypass client-side security controls, which typically prevent users outside the organization from sending files to internal users. In a report, Corbridge explained that the communication bridge they uncovered is particularly concerning because it allows harmful content to be sent directly to someone’s email, which is more powerful than simply tricking them.
To exploit this vulnerability, the Red Team members altered the recipient ID in the POST request of a message for both internal and external recipients. By tricking the system into recognizing an external user as an internal user, they were able to infiltrate a command and control payload into the inbox of a target organization as part of their red team exercise.
This discovery raises concerns about the ease with which attackers can infect organizations using Microsoft Teams. By bypassing security measures and anti-phishing training, attackers can exploit the default configuration of the platform. They can register a domain similar to the target’s Microsoft 365 and create messages that appear internal rather than external, increasing the chances of the target unknowingly downloading a malicious file.
Upon receiving notification of the flaw, Microsoft acknowledged its existence but deemed it to not meet the threshold for immediate action. This response has raised questions about the urgency with which Microsoft intends to address the issue.
In the meantime, organizations that do not regularly communicate with external users through Microsoft Teams should consider disabling the feature to minimize the risk. This can be done by accessing the Microsoft Teams Admin Center and disabling chat with external unmanaged Teams users. Additionally, organizations can establish an allow-list for specific domains to mitigate the risks associated with external communication.
This vulnerability serves as a stark reminder of the importance of regular security audits and updates for all software, even those from well-established companies like Microsoft. It also highlights the critical role that red team exercises play in identifying weaknesses in security systems before attackers can exploit them.
Organizations that rely on Microsoft Teams should remain vigilant and implement additional security measures to protect themselves from potential attacks. As the cyber threat landscape continues to evolve, it is crucial for both software developers and users to stay one step ahead by prioritizing security and actively working to address vulnerabilities.