US Navy, one of the red team members, recently released “TeamsPhisher,” a tool that exploits the Microsoft Teams’ security flaw that is not fixed to bypass the incoming file restrictions from external tenants.
This new tool allows attackers to deliver malicious files to specific organization’s Teams users automatically, and it’s currently available on GitHub.
By altering the ID in a POST request, the application’s client-side protections can be deceived, enabling external users to be perceived as internal, which makes this possible
This tool operates seamlessly in environments permitting communication between internal and external Teams users.
Attackers leverage this tool to deliver the payloads to a victim’s inbox directly, bypassing the need for traditional tactics like:-
TeamsPhisher is a Python3 program that is completely based on the Python programming language and is mainly designed to give the operator the ability to perform automated attacks.
Combining Jumpsec researchers’ attack concept, Andrea Santese’s techniques, and authentication/helper functions from Bastian Kanbach’s ‘TeamsEnum‘ tool; it integrates a unique approach.
Max Corbridge and Tom Ellson, cybersecurity researchers at JUMPSEC, discovered a simple workaround that is dubbed the “IDOR” technique.
Varonis, a security vendor, highlighted the potential of IDOR and how it empowers attackers to manipulate web apps via direct object references like:-
- Database key
- Query parameter
- Filename
Before proceeding with the attack, TeamsPhisher validates the target user’s presence and their capacity to receive external messages, a crucial prerequisite.
Next, with the target, it generates a fresh thread, and then a message containing a Sharepoint attachment link is dispatched by it.
For successful utilization of TeamsPhisher, a valid Teams and Sharepoint license is mandatory for users, typically found in the Microsoft Business account (MFA supported), a widespread requirement in numerous prominent organizations.
While the tool includes “preview mode” for target list verification and message appearance check. Additional features and optional arguments in TeamsPhisher enhance the attack with the following capabilities:-
- Secure file links for the intended recipient only
- Transmission delay to bypass rate limiting
- Log file output
Despite Microsoft being informed by Jumpsec researchers, the issue exploited by TeamsPhisher remains unresolved as Microsoft affirmed that it was not immediately eligible for the fixing criteria.
While originally this tool was intended for authorized red team operations, TeamsPhisher can be exploited by threat actors to deliver malware to target organizations, evading detection discreetly.
Moreover, in the absence of Microsoft’s action, it is highly recommended that organizations disable external tenant communications unless necessary.
“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.