New Microsoft Teams “TeamsPhisher” Bug Lets Attackers Send Malware to Users

Microsoft Teams has a security flaw that could allow attackers to bypass file transfer restrictions and deliver malware to unsuspecting users. A tool called TeamsPhisher, developed by members of the US Navy’s red team, automates these attacks and makes it easy for hackers to target organizations.

TeamsPhisher, written in Python, combines the work of several security researchers who find and exploit vulnerabilities in Microsoft Teams. The flaw stems from the fact that the application relies on client-side protection which can be circumvented by changing the ID in the POST request message.

This tool works by fetching attachments, messages, and a list of target Teams users. It then uploads the attachments to the sender’s SharePoint and sends messages with the SharePoint attachment links to each target. Messages appear as coming from an internal user, even if the sender is an external tenant.

“Give TeamsPhisher attachments, messages, and target lists of Teams users. It will upload attachments to the sender’s Sharepoint, and then iterate through the target list,” explains the description from Alex Reid, developer of the tool.

How TeamsPhisher Works and Mitigation

TeamsPhisher also checks if the target user is present and able to receive external messages, which is a prerequisite for the attack to work. This creates a new thread with the target, which can be used for manual interaction by the sender. Supports Microsoft Business accounts with MFA, Teams, and SharePoint licenses.

This tool has several additional features and options that can help fix attacks. For example, it can send secure file links that only its intended recipients can view, specify a delay between messages to avoid speed throttling, and write output to a log file. This tool also has a “preview mode” which allows users to verify their target list and see what their message will look like from the recipient list. perspective.

Microsoft has been aware of this problem since last month when UK-based security firm Jumpsec reported it. However, the company says it is not up to standard for immediate service. BleepingComputer reached out to Microsoft twice for comment but received no reply.

TeamsPhisher is designed for official red team operations, but can also be used by bad actors to deliver malware to unsuspecting organizations. Until Microsoft fixes this issue, it is recommended that organizations disable communication with external tenants when not needed or create allowlists with trusted domains.

If your organization uses Microsoft Teams in its default configuration, you are vulnerable to this attack. You can protect yourself by blocking external users from sending messages to your staff. To do this, go to the Microsoft Teams Admin Center > External Access and turn off the option. But what if you need to communicate with multiple external tenants? Don’t worry, you can use the whitelist to add domains for organizations you trust. This way, you can block all other domains and prevent unwanted messages.