Thursday, November 14, 2024
HomeCyber Security NewsTeamsPhisher Tool Exploits Microsoft Teams Flaw to Send Malware to Users

TeamsPhisher Tool Exploits Microsoft Teams Flaw to Send Malware to Users

Published on

US Navy, one of the red team members, recently released TeamsPhisher,” a tool that exploits the Microsoft Teams’ security flaw that is not fixed to bypass the incoming file restrictions from external tenants.

This new tool allows attackers to deliver malicious files to specific organization’s Teams users automatically, and it’s currently available on GitHub. 

By altering the ID in a POST request, the application’s client-side protections can be deceived, enabling external users to be perceived as internal, which makes this possible

- Advertisement - SIEM as a Service

This tool operates seamlessly in environments permitting communication between internal and external Teams users.

Attackers leverage this tool to deliver the payloads to a victim’s inbox directly, bypassing the need for traditional tactics like:-

TeamsPhisher (Source – Github, Octoberfest7)

Tools Exploit Microsoft Teams Flaw

TeamsPhisher is a Python3 program that is completely based on the Python programming language and is mainly designed to give the operator the ability to perform automated attacks.

Combining Jumpsec researchers’ attack concept, Andrea Santese’s techniques, and authentication/helper functions from Bastian Kanbach’s ‘TeamsEnum‘ tool; it integrates a unique approach.

Max Corbridge and Tom Ellson, cybersecurity researchers at JUMPSEC, discovered a simple workaround that is dubbed the “IDOR” technique.

Varonis, a security vendor, highlighted the potential of IDOR and how it empowers attackers to manipulate web apps via direct object references like:-

  • Database key
  • Query parameter
  • Filename

Before proceeding with the attack, TeamsPhisher validates the target user’s presence and their capacity to receive external messages, a crucial prerequisite.

Next, with the target, it generates a fresh thread, and then a message containing a Sharepoint attachment link is dispatched by it. 

For successful utilization of TeamsPhisher, a valid Teams and Sharepoint license is mandatory for users, typically found in the Microsoft Business account (MFA supported), a widespread requirement in numerous prominent organizations.

While the tool includes “preview mode” for target list verification and message appearance check. Additional features and optional arguments in TeamsPhisher enhance the attack with the following capabilities:-

  • Secure file links for the intended recipient only
  • Transmission delay to bypass rate limiting
  • Log file output

Despite Microsoft being informed by Jumpsec researchers, the issue exploited by TeamsPhisher remains unresolved as Microsoft affirmed that it was not immediately eligible for the fixing criteria.

While originally this tool was intended for authorized red team operations, TeamsPhisher can be exploited by threat actors to deliver malware to target organizations, evading detection discreetly.

Moreover, in the absence of Microsoft’s action, it is highly recommended that organizations disable external tenant communications unless necessary.

“AI-based email security measures Protect your business From Email Threats!” – .

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Google Unveils New Intelligent, Real-Time Protections for Android Users

Google has once again raised the bar for mobile security by introducing two new...

Chinese National Faces 20 Years of Jail Time for Laundering Millions in Crypto

Daren Li, 41, a dual citizen of China and St. Kitts and Nevis, and...

Google to Issue CVEs for Critical Cloud Vulnerabilities

Google Cloud has announced a significant step forward in its commitment to transparency and...

GitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Google Unveils New Intelligent, Real-Time Protections for Android Users

Google has once again raised the bar for mobile security by introducing two new...

Chinese National Faces 20 Years of Jail Time for Laundering Millions in Crypto

Daren Li, 41, a dual citizen of China and St. Kitts and Nevis, and...

Google to Issue CVEs for Critical Cloud Vulnerabilities

Google Cloud has announced a significant step forward in its commitment to transparency and...