In a recent development, researchers from JUMPSEC have discovered a security flaw in Microsoft Teams that could potentially allow malware to be delivered directly to an organization’s employees. The vulnerability lies in the External Tenants feature of Microsoft Teams, which, if exploited, could bypass most conventional payload delivery security measures.
Microsoft Teams, with over 280 million users worldwide, is a popular communication tool among businesses. Before the COVID-19 pandemic, 91 of the Fortune 1000 organizations relied on Teams, making this vulnerability a significant threat to these businesses.
Typically, organizations allow permissive security controls for Microsoft 365 users (external tenants) to facilitate communication with service providers, third parties, and employees of other organizations through MS Teams. Users from one tenancy can exchange messages with users from another tenancy. However, these tenants cannot send files to internal users by default unless the client-side security controls are bypassed. The discovered vulnerability allows threat actors to bypass these controls and send malware to employees’ MS Teams inboxes.
Max Corbridge and Tom Ellson, members of JUMPSEC’s Red Team, exploited the flaw by altering the recipient ID in a message’s POST request feature for both internal and external recipients. This tricked the system into labeling an external user as internal, enabling them to infiltrate a C2 payload into their targeted organization’s inbox.
The researchers also found that by registering a domain similar to their target’s Microsoft 365, they could create messages that appear internal, thereby increasing the likelihood of the target downloading it without suspecting any wrongdoing.
This vulnerability is unique as it can bypass all anti-phishing security mechanisms, especially those linked to emails. While employees may ignore unsolicited emails, they would not suspect emails sent via Teams IDs.
Microsoft has been notified about the flaw, and the tech giant acknowledged it. However, this issue did not meet its threshold for immediate intervention. Therefore, the company may take some time to address this issue.
In the meantime, organizations relying on Microsoft Teams to communicate with external users should disable the External Access feature by opening the Microsoft Teams Admin Center and disabling the chat with the external unmanaged Team users option. Organizations can also create an allow-list for desired domains to prevent exploitation without impacting external communication channels.
