Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Despite Microsoft Teams’ restrictions for files from sources outside one’s organization, researchers found a way to “trick” the application. They managed to deliver malware into an organization using the communication platform.
More than 280 million people per month use Microsoft Teams, part of the Microsoft 365 cloud-based services.
Details About the Microsoft Teams Attack
Max Corbridge and Tom Ellson, experts at Jumpsec, found a way to deliver malware through Microsoft Teams, using an account outside the target organization. An outside account is typically referred to as an “external tenant.”
The platform’s default configuration allows contact with accounts outside of the enterprise, however, it blocks any file delivery from external tenant accounts.
Researchers managed to bypass restrictions by changing the internal and external recipient ID in the POST request of a message. This made the system believe that the external user was in fact an internal one.
Corbridge explains in a report that while this communication bridge would be enough for social engineering and phishing attacks, the method they found is more powerful as it allows sending a malicious payload directly to a target inbox.
When malware is sent like this, the payload is actually hosted on a Sharepoint for the target to download it. In consequence, it will appear in the inbox as a file, not a link.
Using this technique, researchers were able to successfully deliver a command and control payload into an organization’s inbox. Moreover, attackers can register a domain similar to the targeted company on Microsoft 365, making the user think that the messages come from someone within the organization. This would increase credibility and the likelihood of a successful attack.
The simulated attack was part of a red team–blue team exercise.
Microsoft’s Response & Security Measures
Microsoft received the researchers’ findings, bus the tech giant does not see an urgency in fixing the flaw. They replied that “it does not meet the bar for immediate servicing”, according to BleepingComputer.
To stay safe, organizations can disable communication on Microsoft Teams with external tenants. IT teams can turn off this feature from “Microsoft Teams Admin Center > External Access.”
If external lines of communication must be maintained, businesses might define specified domains in an allow-list, to reduce the danger of exploitation.
Jumpsec’s researchers also submitted a request to add external tenant-related events in the software’s logging, which could help prevent attacks as they unfold (…).
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
