Microsoft Teams bug allow hackers to sidestep security, plant malware

/in


A Microsoft Teams vulnerability allows adversaries to sidestep security controls to plant malware on targeted systems. The Teams attack vector was found by researchers who warn as traditional routes of infection, such as inboxes and websites, become more heavily scrutinized communications platforms such as Teams, Slack and Zoom are becoming a more attractive target.

In a research note posted last week, Jumsec researchers said the issue impacts organizations that use Microsoft Teams in its default configuration. “This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in your organization,” wrote Max Corbridge researcher with Jumpsec’s Red Team research group.

IDOR Bug

The bug is based on the Teams feature that allows for two businesses running the Teams platform to interact with one another. The collaboration feature does have security measures in place to prevent one business to send the other business a malicious file via Teams. However, Jumpsec found a way to bypass those protections and successfully plant a malicious file on recipients system.

“Microsoft Teams allows any user with a Microsoft account to reach out to ‘external tenancies’… These organizations each have their own Microsoft tenancy, and users from one tenancy are able to send messages to users in another tenancy,” he wrote.

The loophole relies on a common hack called insecure direct object references (IDOR), where the file sender switches the internal and external recipient ID on a POST request, researchers said. A POST is used to send data to a server to create/update a resource.

When a file is hosted on a SharePoint domain an adversary can simply craft a malicious URL and send it to a target via Teams and plant malware on the target’s computer. The “payload is delivered directly to into the target’s inbox” as a file, not a link, researchers said.

The next step in the attack, researchers said, would be to use a social engineering tactic to con the recipient into clicking on the malicious payload.

“[This technique] avoids the now-rightfully-dangerous act of clicking on a link in an email, something that staff have been trained to…

Source…