July 07, 2023

Microsoft TeamsPhisher Exploit Alert

Steve Bedwell
Consultant at Data#3 Limited
Connect

TLDR:

A weakness has been discovered in Microsoft Teams that allows attackers to deliver malicious files to users if Microsoft Teams is configured to allow external parties to establish chat.

There is a simple fix for the exploit called TeamsPhisher. Businesses should disable external access and allow only trusted domains to initiate chats from external parties, as by default, when Microsoft Teams is configured to enable external access, it allows access to anyone.

Who found what, when?

Max Corbridge and Tom Ellson of JUMPSEC’s Red Team have discovered a vulnerability in the most recent version of Microsoft Teams which was published on June 21, 2023.

How does the attack work?

The exploit takes advantage of the default setting of Microsoft Teams, which permits users from outside tenants to chat with employees in businesses.

Threat actors can transmit payloads right into a target’s Microsoft Teams chat by faking recipient IDs in POST requests.

These payloads appear as files in the target’s Microsoft Teams environment and are hosted on SharePoint sites. The flaw gets around standard anti-phishing security measures, instigating a channel for threat actors to distribute malicious files.

Vendor response

Upon notifying Microsoft of the vulnerability, JUMPSEC received confirmation that it is a legitimate vulnerability. However, Microsoft found that it did not satisfy the requirements for immediate service, indicating that a fix, or patch for the issue may not become immediately available.

Recommended actions

The following steps should be taken by organisations to reduce the risks posed by this vulnerability:

  1. Review External Tenant Messaging: Determine whether your company needs to communicate with external tenants to conduct business.
  2. Disable External Tenant Messaging: To limit potential attack pathways, disable this capability in the Microsoft Teams Admin Centre if external tenant messaging is not required.
Microsoft Teams Admin Centre Screenshot

Or;

Choose which external domains to allow in Teams screenshot

Additional security measures you can apply

  1. Deploy Microsoft Defender: Attack Surface Reduction (ASR), and Defender Security policies can be configured to help organisations by blocking known attack vectors, preventing the execution of malicious files, and enhancing overall defence against malware.
  2. Deploy Azure Sentinel: Advanced threat intelligence, proactive hunting, and automated reaction capabilities are all provided by Azure Sentinel. Organisations may improve their visibility into security events, identify suspicious activity, and efficiently address risks by integrating Microsoft Teams logs with Azure Sentinel.

Azure Sentinel is your go-to resource for reporting on external collaboration activity. If you have deployed Azure Sentinel and configured the Microsoft 365 connector, then it is a simple operation to enable Microsoft Teams ingestion on the connector page. This is a new feature so if you have enabled the connector previously then the Microsoft Teams option might not have been available at the time.

Office 365 Sentinel Connector Screenshot

We are here to help

If you are not familiar with what external domains may be communicating with your Microsoft Teams instance, Data#3 can help you identifying external domains and validate trusted from unknown sources. If your Microsoft 365 tenant doesn’t have strict controls in place to ensure it is well-governed, start with a Microsoft 365 Health check today.

If you need ongoing support managing Microsoft 365 licensing and governance, we recommend the Microsoft 365 Optimiser service. As an Azure Expert MSP, if you’re interested in deploying Azure Sentinel, we can help with that too.

Get in touch today if you need support to protect your Microsoft Teams users.