“TeamsPhisher” is a tool that was recently published on github.com that can facilitate the delivery of phishing messages and attachments through the Microsoft Teams application to users whose organizations allow external communications. This program takes advantage of an unresolved security issue within Microsoft Teams that bad actors can use to bypass restrictions on incoming files from users outside of an organization. In taking advantage of this security bypass, malware files and other phishing messages can be delivered to Teams accounts from external accounts with no issues.
TeamsPhisher allows for completely automated attacks- all the sender has to do is give the program an attachment, a message, and a list of Teams users that they would like to target. The program then starts its process. It starts by making sure that a target user exists and can receive external messages, then it creates a new thread with the user. It tricks Microsoft Teams by creating a group chat instead of a one-on-one chat with the target user, including the target user’s account twice. This way, Teams will not warn the target user that the sender is outside of their organization since that message might cause hesitation or suspicion on the target user’s part. With the thread created, the program will send the desired message along with a link to the desired attachment.
TeamsPhisher only works as long as Microsoft does not fix the security loophole the program manages to exploit. So far, Microsoft has not announced any plan to fix the issue. Although TeamsPhisher was only created for use within authorized US red team operations, bad actors could also take advantage of the vulnerability that TeamsPhisher uses in order to perpetrate phishing attacks. If you are a Teams user, it might be wise to disable communications from external sources within your application, if you haven’t already and are able to. You can also create an allow-list if needed that tells Teams exactly which domains are trusted.
Microsoft released a statement to Bleeping Computer, stating that they are aware of the issue, and that any cyberattack that is carried out will rely on social engineering to be successful. They encouraged Microsoft customers to “practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.” Social engineering attacks are cyberattacks that exploit human behavior. This type of attack usually will manipulate and trick the victim into willingly giving away sensitive information or into otherwise compromising the security of their computer system.
It is important to always be on the lookout for new potential cyberattacks. Cybercriminals are inventing new types of attacks every day, such as this one, and proper education on cybersecurity could help you prevent a serious attack. A few tools, such as DNS filtering may help to block poison links and as always, keeping your employees informed of new threats is essential.
Read our previous post here: What Is VOIP?
