Black Arrow Cyber Advisory – 06 July 2023 – Microsoft Teams Vulnerability Allows Malware Delivery from External Accounts
Executive Summary
A vulnerability has been discovered in Microsoft Teams, which allows malicious actors to circumvent the application's built-in restrictions for files originating from external sources. The ‘TeamsPhisher’ application which has been developed by the US Navy’s Red Team which is freely available, takes advantage of this technique to easily allow an attacker to send a malicious attachment to a targeted set of Teams users. Exploiting this vulnerability enables attackers to distribute malware to users using accounts that are external to a targets Microsoft Tennant, posing significant risks to individuals and businesses.
What’s the risk to me or my business?
Exploiting this vulnerability enables malicious actors to engage in social engineering and phishing attacks by leveraging Microsoft Teams as a communication platform. Furthermore, it bypasses all built-in security restrictions, allowing the delivery of malicious payloads directly to users' inboxes. Clicking or launching these payloads can grant attackers further access to your systems, compromising the confidentiality, integrity, and availability of your organization's data.
What can I do?
At this time Microsoft has not yet issued a fix to this problem but has provided the following statement to ‘Bleeping Computer’: “We’re aware of this report and have determined that it relies on social engineering to be successful.
We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”
To mitigate the risk, it is advised that you turn off communication with external tenants. However if this is not possible due to needing to regularly communicate with clients it is advised to change the security settings to only whitelist certain required domains. Both actions can be done in Microsoft Teams Admin Center > External Access. It is important to emphasise within your organisation that phishing attacks can happen in various forms, other than emails. Therefore, it is essential to maintain constant vigilance in all aspects of online communication.
More information on the Microsoft Teams Phishing can be found here:
https://github.com/Octoberfest7/TeamsPhisher
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity