A potential vulnerability has been discovered in Microsoft Teams, which could be exploited to deliver malware. Security researchers at Jumpsec found a way to inject malware into an organization’s network using the popular video conferencing and collaboration software Microsoft Teams. Malware can be injected even from a Teams account that belongs to an external user.
By taking advantage of default app configurations, this attack relies on the capability of an organization’s Microsoft Teams client to accept communications from external tenants – in other words, to Teams accounts outside of the organization. While the exploit could be used for social engineering and phishing attacks, it can also be used to bypass Teams default and built-in protections against files from external tenant’s users, allowing the delivery of malware content.
The security researchers uncovered a method to bypass these restrictions by modifying the recipient ID, both internally and externally in the POST request of a message. By tricking Teams into detecting an external account as internal, they successfully managed to deliver a command and control app to another organization’s inbox, executing a covert operation.
What makes this vulnerability particularly concerning is that hackers don’t have to use convincing phishing messages to deceive their victims. Once they register a domain similar to the target organization’s, employees might believe by mistake that a link originates from their company, leading them to download the malicious content.
Upon reporting the exploit to Microsoft, the Redmond giant responded that it does not consider the vulnerability to be of instant concern, indicating a relatively low-risk assessment. Microsoft still did not confirm when a patch will be released to address this issue.
To mitigate this risk, organizations have the option to disable communication with external tenants through the Microsoft Teams Admin Center, specifically by adjusting the External Access settings. And while blocking all external communications for many organizations might not be desirable, administrators can choose to only allow communication with trusted domains by adding them to an allowed list.
The researchers have also submitted their findings to the Microsoft Teams feedback portal, where users can vote on the post in order to prompt Microsoft to address this issue with greater urgency.