During their test, researchers from JUMPSEC managed to trick Microsoft Teams’ security mechanism into sending malware to the organization’s inbox by making it think that an external user was internal.
JUMPSEC’s Red Team members, Max Corbridge and Tom Ellson have discovered a security vulnerability in the External Tenants feature of Microsoft Teams that allows malware to be directly delivered to an organization’s employees. Attackers can inject malware into any system that uses Microsoft Teams’ default configurations and leverage the flaw to bypass almost all conventional payload delivery security measures.
With over 280 million users, Microsoft Teams is widely used by businesses globally, and before COVID-19, 91 of the Fortune 1000 organizations relied on Teams. This vulnerability makes all these businesses vulnerable.
Many organizations allow permissive security controls for Microsoft 365 users (external tenants) to enable communication with service providers, third parties, and employees of other organizations through MS Teams. Users from one tenancy can exchange messages with users from another tenancy.
However, these tenants cannot send files to internal users by default unless the client-side security controls are bypassed. This vulnerability allows threat actors to bypass client-side security controls and send malware to employees’ MS Teams inboxes. The message appears with an External banner, but some users may still be tricked into clicking on it.
Corbridge and Ellson exploited the flaw by altering the recipient ID in a message’s POST request feature for both internal and external recipients. This allowed them to trick the system into labelling an external user as internal. The researchers then successfully infiltrated a C2 payload into their targeted organization’s inbox.
“Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request,” researchers wrote in a blog post.
Researchers have also discovered that if they register a domain similar to their target’s Microsoft 365, they can create messages that appear internal, increasing the likelihood of the target downloading it without suspecting any wrongdoing. To do this, they must use an email ID that mimics the address of known members of their target company.
“When this vulnerability is combined with social engineering via Teams, it becomes very easy to start a back-and-forth conversation, jump on a call, share screens, and more,” Corbridge explained.
It is unique because it can bypass all anti-phishing security mechanisms, especially those linked to emails. While employees may ignore unsolicited emails, they would not suspect emails sent via Teams IDs.
Microsoft was notified about the flaw, and the tech giant acknowledged it. However, this issue did not meet its threshold for immediate intervention. Therefore, the company may take some time to address this issue.
Until this issue is fixed, organizations relying on Microsoft Teams to communicate with external users should disable the External Access feature by opening the Microsoft Teams Admin Center and disabling the chat with the external unmanaged Team users option.
You may also create an allow-list for desired domains to prevent exploitation without impacting external communication channels.