Security researchers have uncovered a bug that could allow attackers to deliver malware directly into employees’ Microsoft Teams inbox.
“Organisations that use Microsoft Teams inherit Microsoft’s default configuration which allows users from outside of their organisation to reach out to their staff members,” Jumpsec researcher Max Corbridge explained.
With a social engineering pretext to prime the target, a malware delivery attack exploiting this vulnerability has a considerable chance of success.
Many organizations have permissive security controls that allow external tenants (M365 users outside the organization) to message their employees. There’s a reason for that: they may want and need to allow communications via Teams with members of other organizations, service providers, and so on.
These external users (tenants) by default can’t sent files to employees of another organization, but the client-side security controls that disallow this can be bypassed, Corbridge and fellow researcher and Jumpsec’s Head of Offensive Security Tom Ellson discovered.
“Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request,” they explained.
This allows the external tenant/attacker to send a malicious payload that will appear in the target’s inbox as a file for download.
The malicious party could further increase the probability of a successful attack by registering a domain similar to the target organization’s domain, registering it with M365, and using an email address that mimics the address of a known member of the target organization.
The incoming message will be tagged with an “External” banner and the target will be warned to be extra careful when interacting with this “external” user, but a significant percentage of employees will likely ignore the warning.
“When this vulnerability is combined with social engineering via Teams it becomes very easy to start a back-and-forth conversation, jump on a call, share screens, and more,” Corbridge noted.
“When using this on a real engagement the pretext of an IT technician was used to ask the target if they could jump on a call to update some critical software. Once on the call this vulnerability was leveraged to deliver a payload and, when combined with a full social engineering attack, was implicitly trusted by the target.”
The beauty of this tactic is that it sidesteps nearly all modern anti-phishing security controls, and particularly those related to email.
Also, while most employees have been taught not to click on links or download attachments from unsolicited emails, many still inherently trust identities in Teams and messages received via the platform – and attackers have realized that.
Corbridge says that they’ve notified Microsoft of their finding and that the company said this vulnerability “did not meet the bar for immediate servicing.”
Here’s hoping that the time for servicing will come soon. In the meantime, he advises organizations to:
Detecting attempts may prove difficult, since Microsoft currently doesn’t provide logs that cover potentially malicious events originating from external tenants, and using web proxy logs to alert on staff members accepting external message requests offers very limited insight, he added.
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!