Many organizations have permissive security controls that allow external tenants (M365 users outside the organization) to message their employees. There’s a reason for that: they may want and need to allow communications via Teams with members of other organizations, service providers, and so on.

These external users (tenants) by default can’t sent files to employees of another organization, but the client-side security controls that disallow this can be bypassed, Corbridge and fellow researcher and Jumpsec’s Head of Offensive Security Tom Ellson discovered.

“Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request,” they explained.

This allows the external tenant/attacker to send a malicious payload that will appear in the target’s inbox as a file for download.

The malicious party could further increase the probability of a successful attack by registering a domain similar to the target organization’s domain, registering it with M365, and using an email address that mimics the address of a known member of the target organization.

The incoming message will be tagged with an “External” banner and the target will be warned to be extra careful when interacting with this “external” user, but a significant percentage of employees will likely ignore the warning.

“When this vulnerability is combined with social engineering via Teams it becomes very easy to start a back-and-forth conversation, jump on a call, share screens, and more,” Corbridge noted.

“When using this on a real engagement the pretext of an IT technician was used to ask the target if they could jump on a call to update some critical software. Once on the call this vulnerability was leveraged to deliver a payload and, when combined with a full social engineering attack, was implicitly trusted by the target.”