Sunday, June 15, 2025
HomeCyber AttackMicrosoft Teams Vulnerability Let Attackers Deliver Malware From External Accounts

Microsoft Teams Vulnerability Let Attackers Deliver Malware From External Accounts

Published on

SIEM as a Service

Follow Us on Google News

The latest version of Microsoft Teams had a security flaw uncovered recently by Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec), JUMPSEC’s Red Team members.

Due to this flaw, there is a possibility for malware to be injected into organizations that rely on the default configuration of Microsoft Teams.

Microsoft Teams is used by over 280 million active users every month and is a popular way for organizations to talk and work together usin Microsoft 365.

- Advertisement - Google News

Teams Vulnerability

Successful exploitation of this vulnerability enables the threat actors to evade the client-side security controls. This security feature prohibits users outside the organization from sending any file to the organization’s internal users.

Corbridge asserted in a report that the communication bridge they discovered is more vital because it can send harmful stuff straight to someone’s email, which is more potent than just tricking them.

Apart from this, two Jumpsec’s Red Team members uncovered a solution to circumvent the existing limitation.

They did this by altering the recipient ID in the POST request of a message for internal and external recipients, thereby tricking the system into recognizing an external user as an internal user.

In pragmatic trials, the researchers applied the technique. They successfully infiltrated a command and control payload into the inbox of a target organization, all while operating covertly as part of their red team exercise.

Attackers easily infect organizations using Microsoft Teams by bypassing security measures and anti-phishing training, exploiting the default configuration of it.

By registering a domain similar to the target’s Microsoft 365, the attacker can create messages that appear internal rather than external, increasing the chance of the target downloading the file without suspicion.

Response From Microsoft

Researchers notified Microsoft of their findings, expecting an immediate response due to the considerable impact observed.

Despite Microsoft acknowledging the flaw’s existence, its response indicated that it does not meet the threshold for immediate action, implying a lack of urgency to address the issue.

To minimize risk, organizations utilizing Microsoft Teams without requiring regular communication with external users should disable this feature. And to do this, you have to follow the simple steps that we have mentioned below:-

  • First of all, go to Microsoft Teams Admin Center.
  • Then access the External Access option.
  • After that, you must disable the chat with external unmanaged Teams users.

Organizations can establish an allow-list for specific domains to mitigate exploitation risks when maintaining external communication channels.

Manage and Secure Your Endpoints Efficiently – Free Download

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...