The “TeamsPhisher” cyberattack tool gives pentesters — and adversaries — a way to deliver malicious files directly to a Teams user from an external account, or tenant.
A new tool is available on GitHub that gives attackers a way to leverage a recently disclosed vulnerability in Microsoft Teams and automatically deliver malicious files to targeted Teams users in an organization.
The tool, dubbed “TeamsPhisher,” works in environments where an organization allows communications between its internal Teams users and external Teams users — or tenants. It allows attackers to deliver payloads directly into a victim’s inbox without relying on a traditional phishing or social engineering scams to get it there.
“Give TeamsPhisher an attachment, a message, and a list of target Teams users,” said the tool’s developer Alex Reid, a member of the US Navy’s Red Team, in a description of the tool on GitHub. “It will upload the attachment to the sender’s Sharepoint and then iterate through the list of targets.”
Fully Automated Cyberattack Flows
TeamsPhisher incorporates a technique that two researchers at JUMPSEC Labs recently disclosed for getting around a security feature in Microsoft Teams. While the collaboration app allows communications between Teams users from different organizations, it blocks the sharing of files between them.
JUMPSEC researchers Max Corbridge and Tom Ellson found a relatively easy way to bypass this restriction, using what is known as the Insecure Direct Object Reference (IDOR) technique. As security vendor Varonis noted in a recent blog post, “IDOR bugs allow an attacker to maliciously interact with a Web application by manipulating a ‘direct object reference’ such as a database key, query parameter, or filename.”
Corbridge and Ellson found they could exploit an IDOR issue in Teams simply by switching the ID of the internal and external recipient when submitting a POST request. The two researchers discovered that when a payload is sent in this manner, the payload is hosted on the sender’s SharePoint domain and arrives in the victim’s Team’s inbox. Corbridge and Ellson identified the vulnerability as affecting every organization running Teams in a default configuration and described it as something an attacker could use to bypass anti-phishing mechanisms and other security controls. Microsoft acknowledged the issue but assessed it as something not deserving of an immediate fix.
TeamsPhisher Incorporates Multiple Attack Techniques
Reid described his TeamsPhisher tool as incorporating JUMPSEC’s techniques as well as some earlier research on how to leverage Microsoft Teams for initial access by independent researcher Andrea Santese. It also incorporates techniques of TeamsEnum, a tool for enumerating Teams users, that a researcher from Secure Systems Engineering GmbH had previously released to GitHub.
According to Reid, the way TeamsPhisher works is to first enumerate a target Teams user and verify that the user can receive external messages. TeamsPhisher then creates a new thread with the target user. It uses a technique that allows the message to arrive in the target’s inbox without the usual “Someone outside your organization messaged you, are you sure you want to view it” splash screen, Reid said.
“With the new thread created between our sender and the target, the specified message will be sent to the user along with a link to the attachment in Sharepoint,” he noted. “Once this initial message has been sent, the created thread will be visible in the sender’s Teams GUI and can be interacted with manually, if need be, on a case-by-case basis.”
Microsoft did not immediately respond to a Dark Reading request seeking comment on whether the release of TeamsPhisher might have changed its stance on remediating the bug that JUMPSEC found. JUMPSEC itself has urged organizations using Microsoft Teams to review whether there is any business need for enabling communications between internal Teams users and external tenants.
“If you are not currently using Teams for regular communication with external tenants, tighten up your security controls and remove the option altogether,” the company has advised.
