A new cyberattack was recently discovered that leverages Microsoft Teams file sharing capabilities. This new attack shows how a threat actor can exploit legitimate features and configurations of Microsoft Teams to introduce malicious behavior when a received attachment is opened by the recipient of the file. Once opened, the behaviour observed reaches out to a Command and Control Infrastructure (C2) for
malware and bypasses Microsoft Teams inspection capabilities in place to identify and block malicious files. The Teams file sharing scenario is just like receiving a malicious email attachment in your email. With a configuration setting in Teams the organization can block external connections (potential threat actors) and this vulnerability goes away.
A version of this attack method, “GIFShell”, chains several Teams capabilities to execute the attack. The list of these vulnerabilities were reported by Bleeping Computer:
Bypassing Microsoft Teams security controls allows external users to send attachments to Microsoft Teams users.
- Modify sent attachments to have users download files from an external URL rather than the generated SharePoint link.
- Spoof Microsoft teams attachments to appear as harmless files but download a malicious executable or document.
- Insecure URI schemes to allow SMB NTLM hash theft or NTLM Relay attacks. Microsoft supports sending HTML base64 encoded GIFs, but does not scan the
byte content of those GIFs. This allows malicious commands to be delivered within a normal-looking GIF.
- Microsoft stores Teams messages in a parsable log file, located locally on the victim’s machine, and accessible by a low-privileged user.
- Microsoft servers retrieve GIFs from remote servers, allowing data exfiltration via GIF filenames.”
Bitdefender explains: “Once planted, the stager continuously scans Teams log files for incoming base64-
encoded GIFs, decodes them, and executes injected malicious commands on the compromised machine.”
The worst part is that because Microsoft Teams runs in the background, the GIF does not need to be opened for its commands to be executed. The GIFShell server receives the encoded outbound executed command running on the attacker’s server and automatically decodes the data and allows the attacker to see the output of the command running on the user’s end. Microsoft was informed of the vulnerability in June 2022 and settled that since no security boundaries were bypassed the issue would be reviewed for potential design changes in the future but would not be tracked by security.
Why is this important?
Teams has over 270 million users worldwide. Chances are that your organization uses it – either directly or to communicate and collaborate with partners.
What does this mean to me?
This illustrates how you can’t always rely on software providers to quickly address vulnerabilities, even when that software provider is Microsoft. A program that maximizes protections within your organization, combined with detailed cyber security awareness training and prompt detection of threats will reduce your company’s risk of an attack having serious repercussions to your business.
- Do not allow external communication by default in Microsoft Teams. Any access to external parties should be formally defined with approvals required to establish the communication with an external party. External connections that exist should be reviewed periodically and removed when no longer needed.
- If external communications are enabled, instruct users to not open received data files from unknown senders and to report the event to the appropriate team with the organization for investigation.
- Train users on how to identify phishing attempts targeting them and the appropriate response.
Commonality of attack