Microsoft Teams Vulnerability Puts Companies at Risk of Malware Attacks

of businesses are closed 6 mos. after a data breach
0 %
of attacks are delivered through email
0 %
of businesses have cyber liability coverage
0 %
of cyber claims get denied due to non-compliance
0 %

ATTENTION: Business Owners, Leadership, and Board of Directors!

Microsoft Teams, with an impressive 280 million monthly active users, is a staple in many organizations for communication and collaboration. It seamlessly integrates into Microsoft 365’s suite of cloud-based services. But here’s the twist: a recent cybersecurity discovery has revealed a critical security flaw in Microsoft Teams. This flaw opens the door to potential malware attacks from external sources, posing a substantial risk to organizations, even if they’re using the platform’s default security settings.

The Findings

Cybersecurity researchers Max Corbridge and Tom Ellson, part of the Red Team at the UK-based cybersecurity firm Jumpsec, uncovered this vulnerability. They found a way to deliver malware through Microsoft Teams, even when strict restrictions are placed on files from external sources.

How the Attack Works

What makes this vulnerability particularly alarming is that it operates within Microsoft Teams’ default setup, which allows communication with external Microsoft Teams accounts, often called “external tenants.” Corbridge explains that while this communication capability could potentially be used for social engineering and phishing attacks, their method takes it a step further by enabling the direct delivery of a harmful payload right into a target’s inbox.

Despite Microsoft Teams having protections in place to block file deliveries from external tenant accounts, the Jumpsec Red Team figured out a way to bypass this safeguard. They did this by tweaking the internal and external recipient IDs within the POST request of a message. This essentially tricks the system into treating an external user as an internal one.

Putting It to the Test

When employing this technique, the malicious payload is hosted on a SharePoint domain, and the target unknowingly downloads it from there. What’s especially sneaky is that the payload appears in the target’s inbox as a file, not just a link.

The Jumpsec Labs team rigorously tested this method in real-world scenarios and managed to successfully deliver a command and control payload right into a target organization’s inbox during a covert red team engagement. This is concerning because it sidesteps existing security measures and outsmarts conventional anti-phishing training, giving attackers a simpler path to infect organizations that rely on Microsoft Teams’ default settings.

Furthermore, if a malicious actor registers a domain that closely mimics the target organization’s within Microsoft 365, they can make their messages look like they’re coming from inside the organization. This increases the chances of the target downloading the malicious file, making it even more deceptive.

Microsoft’s Response and the Numbers

Upon discovering this vulnerability, the researchers promptly reported their findings to Microsoft, expecting a quick response due to its potential impact. Unfortunately, Microsoft acknowledged the flaw but didn’t see it as a pressing issue requiring immediate action or a quick fix.

Now, here’s the kicker: Microsoft Teams is currently used by a whopping 280 million monthly active users, according to recent statistics. This extensive adoption makes this vulnerability a serious concern, as it could potentially affect countless organizations and their digital security.

What You Should Do

For organizations using Microsoft Teams and not needing regular communication with external tenants, here’s the recommendation: disable this feature through “Microsoft Teams Admin Center > External Access.”

For those organizations that need to keep external communication open, the proactive approach is to define specific domains on an allow-list. This reduces the chances of falling victim to exploitation.

Additionally, the folks at Jumpsec suggest adding external tenant-related events to the software’s logging system. This could act as a strong deterrent against future attacks. It’s a call to action for the cybersecurity community to support this initiative, urging Microsoft to address the issue effectively.

Disclaimer: The information provided in this article is for educational purposes only and should not be considered as legal advice. For specific compliance concerns, please consult with a qualified legal professional.

By: Derreck Ogden

Fill out the form below and one of our expert team members will contact to you to talk about your business’s bright future in these uncertain times! 

Contact Us Today!

Your business is constantly exposed to cyber threats that could damage your reputation, compromise sensitive data, and even bring operations to a halt. Waiting to take action against these threats puts your business at a greater risk of attack. It’s time to take control of your technology infrastructure and protect your business. Don’t wait any longer to get started.

Connect with the WOM Technology Management Group today and take the necessary steps towards securing your business. Our team of experts will get back to you within one business day to begin your journey towards confidence in your technology infrastructure.

Our Confidence as a Service™ model offers a unique approach to technology optimization and cyber risk management. With our comprehensive suite of services, we can help you achieve your business goals and reduce the likelihood of cyber attacks. By working with us, you’ll have access to a team of professionals with years of experience in technology and cyber risk management.

We are excited to work with you and show you how Confidence as a Service™ can revolutionize your business technology infrastructure. Don’t hesitate any longer to make the change your business needs. Contact us now and let’s get started.

Leave a Reply

Your email address will not be published. Required fields are marked *