TeamsPhishers: New tool exploits vulnerability in MS Teams to send malware

IT security researcher publishes Python script on Github

As recently became known, a vulnerability exists in Microsoft Teams; cybercriminals can upload malicious code to their own Sharepoint with little effort and deliver it to a list of recipients via Teams chat. The insidious thing is that although they originate from outside the organisation, the vulnerability allows malware, for example, to be displayed directly as an executable and clickable file in the chat - and not just as an external link.

Recently, the Python script TeamsPhisher was published on GitHub, which makes the attacks convenient and easy. Apparently provided by a pentester in the US Navy's Red Teaming. The tool is supposed to be used to upload the malicious code to one's own sharepoint and send it to an arbitrary list of recipients via Teams Chat - and is obviously not only used by pentesters.

How TeamsPhisher works
The existing vulnerability in Microsoft Teams allows malware to be displayed as an executable file directly in the chat. While the click inhibition threshold is supposedly higher for external links - the common variant when exchanging data between members from different organisations - the situation is different for files received in the chat.

TeamsPhisher is used to manipulate the requests to the Teams servers in a targeted manner, e.g. the external and internal recipient IDs are swapped in the context of a POST request. Teams servers do not filter object references as a matter of principle, but load them onto the client. However, TeamsPhisher users are not familiar with these technical subtleties, and they certainly do not need to master them. Because all the tool needs is an attachment compromised with malware, an enticing message to the recipients and a list of verified Teams users. The tool uploads the attachment to the sender's sharepoint, scans the list of Teams users and makes sure that the named users really exist and can receive messages. After this step, the tool automatically starts a chat with the victim and sends the preset message including attachment.

If you are now an experienced Teams user and have noticed the warning messages from Teams warning against receiving messages outside your own organisation: TeamsPhisher circumvents this warning with a simple but effective workaround. The tool uses the victim's address twice, creating a group chat. Warning message: Missing!

Microsoft has commented on the disclosure of the vulnerability by saying that the methodology used is based on the principles of social engineering to be successful:

"We encourage our customers to adopt good habits when using computers online. This includes [users] exercising caution when clicking on links to websites, opening unknown files or accepting file transfers," a Microsoft spokesperson said in a statement to Bleeping Computer. In other words, Microsoft sees Teams users as having a responsibility to "Think first, click later!"

In many cases, security holes in Microsoft's products will be closed with the upcoming patchday. The company has not yet announced whether this will also be the case with TeamsPhisher.

Beware of unknown files (and possibly unknown senders): This currently also applies to MS Teams in particular!

Need help upgrading your IT security for 2023? Contact us!