IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware

Cyber Security Threat Summary:
Security researchers from Jumpsec have discovered a vulnerability in Microsoft Teams that enables attackers to deliver malware directly to employees' inboxes. The bug allows external users to send malicious payloads that appear as downloadable files. By combining this vulnerability with social engineering tactics, attackers can increase the success rate of their attacks. This method bypasses anti-phishing security controls and takes advantage of the trust employees have in messages received through Microsoft Teams. This vulnerability affects every organization using Teams in the default configuration. As such it has huge potential reach, and could be leveraged by threat actors to bypass many traditional payload delivery security controls. Having now proven this hypothesis, and used this vulnerability to successfully deliver malware that compromised a target machine in a client’s environment, researchers believe the vulnerability to be an exploitable discovery” (Jumpsec, 2023).

Security Officer Comments:
“By manipulating the recipient IDs in the POST request, attackers can deliver malware to the target's inbox, disguising it as a downloadable file. To increase the chances of success, attackers may register a domain similar to the target organization's domain and use an email address resembling that of a known member of the organization. Although the incoming message is flagged as "External" and the target is cautioned about interacting with external users, a significant number of employees may ignore the warning.

In a real-life scenario, the researchers utilized the pretext of an IT technician needing to update critical software, leveraging the vulnerability during the call to deliver the payload. By employing a comprehensive social engineering attack, the attackers gained implicit trust from the target” (Jumpsec, 2023).

Suggested Correction(s):
While most employees have been taught not to click on links or download attachments from unsolicited emails, many still inherently trust identities in Teams and messages received via the platform – and attackers have realized that. Microsoft has been notified of the researchers findings and that the company said the vulnerability “did not meet the bar for immediate servicing.”

In the meantime, experts are advising organizations to:

  • Remove the option of external tenants being able to contact employees (if not needed)
  • Change the security settings to only allow communication with certain allow-listed domains (if the number of organizations they need to keep in touch is small), and/or
  • Educate staff on the possibility of productivity apps such as Teams, Slack or SharePoint being used by attackers to mount social engineering attacks

    Link(s):
    https://labs.jumpsec.com/

    Contact Us for Threat Assistance Back to Current Threats

    • Just Starting?



    Contact LACyber for More Info



    Current Active Cyber Threats