Saturday, May 18, 2024

Hackers Hijack Microsoft Teams Accounts Using a Single Weaponized GIF Image

Microsoft has patched a subdomain takeover vulnerability in Microsoft Teams that affects every user who uses the Teams desktop or web browser version.

Microsoft Teams is a leading communication and collaboration platform that combines workplace features such as chat, video meetings, file storage, collaboration on files, and integration with applications.

Microsoft Teams Vulnerability

Researchers from CyberArk discovered a worm-like vulnerability that lets hackers use a malicious GIF file to scrape user data and to take over the entire roster of Teams accounts.

The vulnerability resides in how the application programming interfaces (APIs) used to validate the communication between the client and the server.

With Teams access token (auth token) and the skype token is used to make API calls that let users send messages, read messages, create groups, add new users or remove users from groups, change permissions in groups, etc.

Microsoft Teams

According to CyberArk, the following subdomains are vulnerable to takeover;


An attacker can force the user to visit one of the sub-domains and get access to the auth token, by having the auth token attackers can steal the victim’s Teams account data.

“We considered this approach as well, sending an image to our victim with an “src” attribute set to the compromised sub-domain via Teams chat. When the victim opens this message, the victim’s browser will try to load the image and this will send the auth token cookie to the compromised sub-domain, “reads Cyberark blog post.

Victims will not have any indication of they’ve been attacked as the take over process is stealthy and dangerous.

Researchers published a video POC exploit of the vulnerability, they also warned that the vulnerability is wormable.

The vulnerability has been reported by Microsoft Security Research Center and Microsoft fixed the vulnerability by deleting the misconfigured DNS records of the two subdomains.

A Couple of days before a new Zoom flaw lets hackers record Zoom meeting sessions and to capture the chat text without the knowledge of meeting participants’ even though host disables recording option for the participants.

Due to this COVID-19 pandemic situation, many companies moved to full-time remote work, vulnerabilities like this may pose a huge risk.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles