Intruder from within, or is it?

Next story

Red Team members found a way to misuse MS Teams to deliver malware to an organization.

If you had to pinpoint one thing that has in recent years changed the way we interact with our work colleagues, it would be Microsoft Teams, a cloud-based business communication platform developed by Microsoft as part of the Microsoft 365 family of products. It gives space for video calls, file storage, workspace and, most commonly, chatting.

The platform’s popularity skyrocketed during the pandemic, when not only companies, but also universities, schools and other organizations used MS Teams for their day-to-day work interactions. In 2023, Microsoft teams monthly users have climbed up to 280 million active users, with most of the users being of working age. MS Teams and the many apps embedded on the platform, however convenient, have recently faced their own cybersecurity reckoning, proving that cloud security solutions are more relevant than ever.


Trouble in paradise

Due to the platform´s growing number of users, MS Teams has attracted the attention of not only cybersecurity experts but also criminals. Members of the Red Team at UK-based security services provider Jumpsec discovered a way to deliver malware using Microsoft Teams with an account outside the target organization.

What they discovered is that it is quite easy to misuse the platform’s “external tenants” communications functionality. On its own, enabling external MS Teams profiles to directly contact people within an organization could be misused for social engineering and phishing attacks, but Jumpsec found an even more powerful method, one that allows sending a malicious payload directly to the target’s inbox.

Even though Microsoft Teams has client-side protection, the Red Team members found a way to go around the restriction by changing the internal and external recipient ID in the POST request of a message. That way, they were able to fool the system into thinking an external user was in fact in internal account. The message would then appear on the recipient’s device as coming from an internal account; therefore, any subsequent social engineering attempts wouldn’t face intense scrutiny. This method, bypassing the existing security measures, gives attackers an easy way to introduce threats to organizations using MS Teams.

Box: ECOS caters to a wide range of users from SoHo, SMB, and both MSPs and Enterprise.

The story continues

Unfortunately, according to Microsoft´s guidelines, this bug does not classify as urgent, and had been left unresolved. In response, a Red Team member of the US Navy published a tool called TeamsPhisher that leverages the issue.

The tool is Python-based and enables an automated attack where the attacker sends the malware via an attachment, complete with a message and a list of targets (Teams users). It will automatically upload the attachment to the sender´s SharePoint and then iterates through the list of targets. It will first verify the existence of the targets and their ability to receive external messages. This is a requirement for the attack vector to be successful. It then creates a new thread with the target and sends a message with a SharePoint link.

After the deployment of the attack, the tool gives the attacker an option to verify the target list and check the appearance of the message.

The issue allowing TeamsPhisher to exploit the platform remains unresolved on Microsoft’s side. According to the Jumpsec researchers, Microsoft’s position is that it does not meet the bar for immediate mitigation. However, while the attack tool was created for authorized Red Team operations, threat actors can leverage it to deliver malware to targeted organizations without being easily noticed.

Our recommendation for safer cloud-based services use:

  • Use the latest version of your PC’s Windows operating system
  • Never blindly trust external and internal message requests
  • In case of suspicion, contact your company’s IT admin immediately
  • If possible, within your company, disable the option to communicate with externals
  • Use a reliable security solution
  • Always back up files

How ESET protects your company against such threats

ESET Cloud Office Security is an effective multitenant and scalable service that protects the entire Office 365 suite, including MS Teams, OneDrive and SharePoint Online. Good news is, apart from its other functions, the product has built-in malware protection for Exchange Online, OneDrive, SharePoint and Teams, which is able to detect and delete/quarantine a malicious file sent to the victim from outside the organization, thus rendering the attacker’s effort to appear as within the company irrelevant. ECOS scans all files transmitted through MS Teams and uploaded/downloaded by ECOS-protected users to SharePoint Online.

ECOS caters to a wide range of customers, from SoHo to Enterprise and MSPs. ESET Cloud Office Security can be managed through a web-based console with user-centric, issue-centric and group-centric views.

MS Teams and other cloud-based services are not going anywhere. Therefore, it is always good to know how to protect oneself and use a trusted security solution. The threats are on the rise and will continue to get more sophisticated.

To read more about cybersecurity trends in 2023, download our report.