A member of U.S. Navy’s red team has published a tool called TeamsPhisher that leverages an unresolved security issue in Microsoft Teams to bypass restrictions for incoming files from users outside of a targeted organization, the so-called external tenants.
The tool exploits a problem highlighted last month by Max Corbridge and Tom Ellson of UK-based security services company Jumpsec, who explained how an attacker could easily go around Microsoft Teams’ file-sending restraints to deliver malware from an external account.
The feat is possible because the application has client-side protections that can be tricked into treating an external user as an internal one just by changing the ID in the POST request of a message.
Streamlining attacks on Teams
‘TeamsPhisher’ is a Python-based tool that provides a fully automated attack. It integrates the attack idea of Jumpsec’s researchers, techniques developed by Andrea Santese, and authentication and helper functions from Bastian Kanbach’s ‘TeamsEnum’ tool.
“Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender’s Sharepoint, and then iterate through the list of targets,” reads the description from Alex Reid, the developer of the red team utility.
TeamsPhisher first verifies the existence of the target user and their ability to receive external messages, which is a prerequisite for the attack to work.
It then creates a new thread with the target, sends them a message with a Sharepoint attachment link. The thread appears in the sender’s Teams interface for (potential) manual interaction.
TeamsPhisher requires users to have a Microsoft Business account (MFA is supported) with a valid Teams and Sharepoint license, which is common for many major companies.
The tool also offers a “preview mode” to help users verify the set target lists and to check the appearance of messages from the recipient’s perspective.
Other features and optional arguments in TeamsPhisher could refine the attack. These include sending secure file links that can only be viewed by the intended recipient, specifying a delay between message transmissions to bypass rate limiting, and writing outputs to a log file.
Unsolved problem
The issue that TeamsPhisher exploits is still present and Microsoft told Jumpsec researchers that it did not meet the bar for immediate servicing.
BleepingComputer also reached out to the company last month for a comment about plans to fix the problem but did not receive a response. We reiterated our request for comment from Microsoft but did not receive a reply at publishing time.
Although TeamPhisher was created for authorized red team operations, threat actors can also leverage it to deliver malware to target organizations without setting off alarms.
Until Microsoft decides to take action about this, organizations are strongly advised to disable communications with external tenants if not needed. They can also create an allow-list with trusted domains, which would limit the risk of exploitation.