A TeamsPhisher program, created by a member of the US Navy Red Team, uses a Microsoft Teams security weakness to launch phishing attacks. By using this tool, attackers can get around limitations on connecting with outside users by taking advantage of an unsolved security flaw in the service.
The flaw enables attackers to get around Microsoft Teams’ file sharing limitations and spread malware via external accounts. Jumpsec Labs discovered this finding, and they went into great depth about it in a technical paper.
The exploit takes advantage of client-side security measures in the Microsoft Teams program to deceive it into considering external users as internal users by changing the identification in a POST request message.
TeamsPhisher: Exploiting Microsoft Teams’ Security Flaw
TeamsPhisher determines whether the target user is capable of receiving external messages before launching the assault. Following confirmation, the tool starts a new thread and sends the targets a message that includes a link to a SharePoint attachment. The sender can manually interact with this thread via the Teams interface.
Users must have a valid Microsoft Business account with Teams and SharePoint licenses in order to utilize TeamsPhisher, which is typical in big businesses.
TeamsPhisher provides users with a “preview mode” in addition to its core features so they may verify recipient lists and message appearance. Additionally, it offers functions like delivering encrypted connections for the sole use of the receiver, delaying messages to get around frequency restrictions, and logging output information in a log file.
According to Jumpsec experts, the fundamental security flaw that TeamsPhisher exploited is still open, and Microsoft has said that it is not a top priority to be fixed right now.
While initially intended for red team activities, fraudsters may be able to utilize TeamsPhisher to compromise Microsoft Teams security safeguards and spread malware to target companies.
In order to reduce the danger of exploitation, companies are encouraged to block external connectivity unless absolutely essential and to implement a list of trustworthy websites.