Cyber Security Threat Summary:
“A member of U.S. Navy's red team has published a tool called TeamsPhisher that leverages an unresolved security issue in Microsoft Teams to bypass restrictions for incoming files from users outside of a targeted organization, the so-called external tenants. The tool exploits a problem highlighted last month by Max Corbridge and Tom Ellson of UK-based security services company Jumpsec, who explained how an attacker could easily go around Microsoft Teams' file-sending restraints to deliver malware from an external account” (Bleeping Computer, 2023).

The issue is the result of the applications client-side protections being tricked into seeing an external users as an internal one by changing the ID in the POST request of a message. The tool, written in Python, provides full automation, all the attackers needs to do is supply the tool an attachment, a message, and a list of targeted Teams users. The malware will upload the attachment to the sender’s SharePoint, and then iterate through the list of targets.

Security Officer Comments:
TeamsPhisher is able to verify the existence of each victim account and their ability to receive external messages, which the researchers say is a prerequisite for the attack to work. Once verified, the malware will create a new thread with the target and send them a message with a Sharepoint attachment link. Additionally, TeamsPhisher requires victims to have a Microsoft Business account with a valid Teams and Sharepoint license, which may be common for larger organizations, but does lower the potential pool of victims.

“The tool also offers a "preview mode" to help users verify the set target lists and to check the appearance of messages from the recipient's perspective. Other features and optional arguments in TeamsPhisher could refine the attack. These include sending secure file links that can only be viewed by the intended recipient, specifying a delay between message transmissions to bypass rate limiting, and writing outputs to a log file” (Bleeping Computer, 2023).

Suggested Correction(s):
As of this report, the TeamsPhisher exploits still exist in Microsoft, and the researchers note they were told the exploit did not meet the bar for immediate servicing. While TeamPhisher was created for authorized red team operations, threat actors can also leverage it to deliver malware to target organizations without setting off alarms.

Until Microsoft decides to take action about this, organizations are strongly advised to disable communications with external tenants if not needed. They can also create an allow-list with trusted domains, which would limit the risk of exploitation.

Link(s):
https://www.bleepingcomputer.com/