A vulnerability with Microsoft Teams, the popular virtual meeting and collaboration software by Microsoft, allows external accounts to share and distribute malware on the platform. In its default configuration, the malware can be distributed by bypassing client-side security controls which prevent external tenants from sending files.
The bug was discovered by a pair of security researchers Max Corbridge and Tom Ellson, members of Jumpsec. The pair support red team efforts at the UK-based company.
Microsoft Teams has over 280 million monthly active users and is used by top organizations globally.
Analysis of the Teams Malware Vulnerability
Just in case you thought this may affect only a small subset of Teams deployments, you’d be mistaken.
By default, the Teams platform allows any user with a Microsoft account to reach out to what the company refers to as “external tenancies.” External tenancies can be any organization using the Teams platform and can send messages, files, or other multimedia to other Teams tenancies.
Essentially, this allows Teams deployments to “federate” with one another for the continuity of Microsoft user accounts to message any other Microsoft Teams account user. Otherwise, it would require a user to register for an account on every Teams platform deployment they want to use.
When an external Teams tenancy account tries to send a file to another Teams tenancy account, a banner appears next to the name with a small “External” marker next to the time of the message. While many people would note the “External” notice in the alert, it isn’t prominent enough.
So what happens when file sharing and communication with external tenants is bypassed?
The JumpSec security researchers discovered that the security controls could be bypassed client-side.
With some manipulation of the internal and external recipient ID on the POST request, the file would actually be hosted on a Sharepoint domain and the target downloads it from there. To the target, the file appears in the message inbox as a file, not a link.
Impact of the Teams Malware Bug
As the JumpSec security researchers highlight, this is a huge deal because it bypasses conventional anti-phishing security controls. It’s deceptive to all but the most paranoid computer users, with the file embedding itself in the chat inbox and not a suspicious-looking link to a file download.
The payload is now hosted on a trusted Sharepoint domain server and arrives in the target’s Teams chat inbox.
If used in the context of an IT help desk use case as the researchers mention, it is beyond plausible that a significant number of users would fall victim to this attack.
How to detect and remediate this attack
Despite the pair of researchers disclosing the vulnerability to Microsoft, there is no immediate intent by Microsoft to patch the bug. This is surprising and disappointing, as the reach of Teams across major organizations and government entities globally is enormous.
The team at JumpSec has provided guidance on how to define custom detections.
At the very least, all organizations are strongly encouraged to remove communication with external tenants altogether. That can be accomplished by going to the Microsoft Teams Admin Center and disabling it under “External Access.”
The Microsoft 365 platform has increasingly come under the microscope lately with cybersecurity concerns and numerous distributed denial of service (DDoS) attacks.
Microsoft has just announced it will no longer integrate Teams with Windows 11 and stop bundling Teams with 365.
