Unpatched versions of Microsoft Teams are potentially vulnerable to an account takeover attack using GIF files or links. SKOUT advises updating Microsoft teams to the latest version. In addition, organizations should review access control, phishing training, and social engineering training.
Technical detail and additional information
What is the threat?
A vulnerability exists in the popular video chat and collaboration platform Microsoft Teams that could allow an attacker to take control of the Teams accounts for an entire organization. Specifically, the vulnerability exists in the way that authentication to image resources is handled within Teams. An attacker can exploit this by sending a link or GIF file that when processed by a Teams account sends the target’s authentication access tokens to an attacker-controlled server. With these access tokens, an attacker can continue to spread across an organization’s Teams network in much the same way a typical worm does, constantly compromising new accounts autonomously if configured correctly. If an attacker is in control of a Teams account, they could have access to all of the messages sent and received by that user, potentially exposing personal or confidential information.
Why is this noteworthy?
The feature of this vulnerability that is most noteworthy is the attack vector. While the compromise needs to happen with some content being delivered via a Microsoft Teams chat, that content can be either a link or a GIF file. In the case of a link, the recipient of the message would need to click the given link to be compromised. However, in the case of a GIF, the recipient would not need to click anything to become compromised, they need only to view the message. When the image is processed by Teams, the target’s authentication token is sent to the compromised server the attacker controls. However, there are several barriers to entry for exploitation of this vulnerability. First, an attacker needs to compromise an initial account within an organization. This could be done in any number of ways, most likely through phishing or social engineering. Next the attacker must have a legitimate Microsoft subdomain to have the authentication tokens sent to, however attaining one is no easy feat. The researchers at CyberArk who discovered this vulnerability have stated that this must be a “teams.microsoft.com” domain, and while Microsoft has stated that the currently identified domains can no longer be abused, CyberArk believes there are other similar domains that are still vulnerable.
What is the exposure or risk?
By leveraging this vulnerability an attacker quickly compromises and gain access to an entire organization’s Teams accounts. From there the primary risk stems directly from the nature of the messages that are being sent within Teams itself. The attacker would have control over any compromised users account and could send, receive, and view messages to and from those accounts. Beyond any existing information in the accounts, an attacker could use social engineering attacks by posing as leadership from the organization and attempt to ask other executives to disclose sensitive information. Also, if an attacker were able to convince a user to download a different application for any potential reason, such as attending a meeting that requires it, they might be able to distribute malware to a target.
What are the recommendations?
Microsoft has already patched this vulnerability in an update on April 20th and also stated that they have deleted the misconfigured DNS records that allowed the hijacking of the teams.microsoft.com subdomains that were required for exploitation. However, in the wake of this and other vulnerabilities affecting videoconferencing and teleworking software it is important to ensure secure use of such applications. This can include ensuring only authorized users have access to the platform and refrain from use for non-work-related activities. Also ensure that your organization has strong user access controls in place, and that users are informed of the common vectors and signs of phishing and other social engineering attacks.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.