/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
Security experts from the US Navy have developed a tool to exploit a recently discovered vulnerability in Microsoft Teams.
Last month, a bug was found in video conferencing software that allowed files sent from external accounts to be received in an organization’s inbox, which is considered restricted.
The US Navy’s Red Team created a tool called Teamsfisher that exploits this flaw, which involves changing the ID in the POST request of a message so that teams think the external file being sent actually came from an internal account, and Therefore it is accepted.
teamsfisher
Written in Python, the tool can carry out attacks with complete autonomy. The user just has to compose the attached message, attach the file and give it a list of targets to hit. It will detect which targets have external message reception on and will attack only those, as this has to be enabled for the attack to work.
Another trick it uses is to make the new thread a group chat with the user by including the target’s email twice. According to the description on the tool’s GitHub page, this will bypass the “Someone outside your organization has sent you a message, are you sure you want to view this” splash screen that could cause our target to grind to a halt.
The message will be sent to the user and the attachment will be linked in the user’s sharepoint.
TeamsPisher also requires a Microsoft Business account with a Teams and Sharepoint license for the target, which many companies using Teams will have. The device can also delay messages to prevent them from running against the rate limit, as well as write its output to a log file.
A threat actor could use Teamsfisher to distribute malware to Teams users who have external messaging turned on. Microsoft has not yet fixed the issue and has said that it is not serious enough for the company to take immediate care of.
It also said it is aware of the new TeamsPisher tool and notes that it relies on social engineering to work, therefore advising users to be cautious when receiving any links or attachments.
Users can disable external messages by navigating to the Microsoft Teams Admin Center and then to External Access. If users do not want to block all external communications, they can choose to communicate with only trusted domains by adding them to the allow list.
