A member of the Red Team (Red Team) of the US Navy has released a tool called Teamsphisher that enables a phishing attack on Microsoft Teams. This tool exploits an unresolved security issue within the service, allowing attackers to bypass the ban on communication with external users outside of the target organization.
The flaw in the system enables attackers to easily evade Microsoft Teams’ restrictions on sending files and deliver malware from an external account. Jumpsec Labs, the cybersecurity company, discovered this vulnerability and outlined the details in their technical report.
This attack is made possible due to the client-side protection measures within the Microsoft Teams application. By changing the identifier in the post, attackers can deceive the application and present an external user as an internal one.
Teamsphisher begins by verifying the existence of the target user and their ability to receive external messages, a prerequisite for the attack. The tool then creates a new thread with specific goals and sends a message to the targets, referencing an investment in SHAREPOINT. Simultaneously, the thread appears in the sender’s Teams interface for manual interaction.
Users must have a Microsoft Business account with a Teams and SharePoint license, a common requirement for many large companies, in order to use Teamsphisher. The tool also offers a “preliminary viewing mode” so that users can preview the recipient’s appearance and message lists. Other features of Teamsphisher include:
- Sending secure links to files that only the specific recipient can access
- Setting message delay to bypass frequency restrictions
- Recording output to a log file
Despite being alerted to the issue by Jumpsec researchers, Microsoft has stated that it is not a top priority for immediate resolution.
While Teamsphisher was initially created for Red Team purposes, cybercriminals could also exploit the tool to deliver malware to targeted organizations using Microsoft Teams.
Until Microsoft addresses this problem, it is highly recommended that organizations sever any unnecessary connections with external users. Companies can also create a list of trusted domains, reducing the risk of such attacks.