IT security researchers have discovered a vulnerability in Teams that makes it easy for attackers to send malware to potential victims. The attack bypasses traditional phishing protection. Remedy is currently not trivial to create.
Normally, malicious actors would often first have to socially engineer and phish their victims to plant malicious code on them. However, the default configuration of Teams allows malicious code to be sent even without such pull-ups, according to IT researchers from Jumpsec.
The standard configuration of Teams allows users outside of their own organization to contact employees in the company, enabling a new social engineering approach. Although Teams display “external” for such contacts and even deliver a warning, experience has shown that 95 percent ignore them.
In Teams, users can send files which are displayed directly in the chat for internal contacts to click and execute. External contacts cannot do this, but the filtering takes place on the client side, which poses the problem. The fact that object references are not filtered by the server can be abused by swapping the internal and external recipient IDs in a POST request.
IT security researchers refer to this type of vulnerability as insecure direct object references (IDOR). Cyber criminals could easily find victims with typosquatting domains, i.e. domains that are very similar to their own company domain and foist malicious code on them. Jumpsec has successfully tested this in a pentest with customers.
Microsoft has confirmed the vulnerability, but it is not serious enough for immediate security updates. The IT researchers suggest checking whether contact from externals to own team contacts is actually required and, if not, access can be restricted in the Teams Admin Center under “External Access”. It may also be possible to restrict access to certain partner domains that are allowed access. In all cases, the Teams log files are monitored for indications of external access.
This is not the first vulnerability found in Teams. Last fall, it was revealed that Teams was storing Microsoft tokens in plain text, which allowed attackers to access users’ Microsoft services.