Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware

In recent months we, JUMPSEC’s red team, have been using a nifty little tool that we would like to share with you in this blog post. Ligolo-ng is a versatile tool that has been...

Max Corbridge and Tom Ellson of JUMPSEC’s Red Team recently discovered a vulnerability in the latest version of Microsoft Teams which allows for the possible introduction of malware into any organisations using Microsoft Teams in its default configuration. This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in the organisation. Microsoft Teams allows any user with a Microsoft account to reach out to ‘external tenancies’, which are any business or organisation using Microsoft Teams. When messaging staff in another organisation, users are blocked from sending files to them. However, Corbridge and Ellson were able to bypass this security control and send files into a target organisation.

This vulnerability affects every organisation using Teams in the default configuration and has huge potential reach, as it bypasses many traditional payload delivery security controls. It is very straightforward to buy a domain similar to the target organisation and register it with M365, avoiding the need to use mature domains with web servers, landing pages, CAPTCHAs, domain categorisation, and URL filtering. It also avoids the dangerous act of clicking on a link in an email, something that staff have been trained to avoid for years now, as the payload will be served by a trusted Sharepoint domain and will arrive in the form of a file in a target’s Teams inbox.

JUMPSEC has detailed remediation options, as well as some detection opportunities. Firstly, organisations should review if there is a business requirement for external tenants to have permission to message their staff in the first place. If not, they should tighten up their security controls and remove the option altogether. If there is a requirement, they can change the security settings to only allow communication with certain allow-listed domains. Additionally, organisations should endeavour to educate staff on the possibility of productivity apps such as Teams, Slack, Sharepoint, etc, for launching social engineering campaigns. Finally, they can use web proxy logs to alert on, or gain some baseline visibility into, staff members accepting external message requests.

This vulnerability has been successfully demonstrated as an exploitable finding and organisations should take the necessary steps to protect themselves.

📓 Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware

👉🏽 In recent months we, JUMPSEC’s red team, have been using a nifty little tool that we would like to share with you in this blog post. Ligolo-ng is a versatile tool that has been... 👉🏽 Discovery of latest Microsoft Teams vulnerability by JUMPSEC's Red Team. 👉🏽 Vulnerability allows for possible introduction of malware into any organisation using Teams. 👉🏽 Bypasses client-side security controls to send files (malware) to staff. 👉🏽 Microsoft Teams allows any user with a Microsoft account to reach out to external tenancies. 👉🏽 JUMPSEC discovered a way to bypass this security control and send files to target organisation. 👉🏽 Vulnerability affects every organisation using Teams in default configuration. 👉🏽 Potential reach is huge as it bypasses traditional payload delivery security controls. 👉🏽 JUMPSEC offers detailed remediation options and detection opportunities. 👉🏽 Organisations should review external tenant messaging requirements and tighten security controls. 👉🏽 Educate staff on possibility of productivity apps launching social engineering campaigns and monitor web proxy logs.

🔗 source link: https://labs.jumpsec.com/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware/

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware

#TeamsVulnerability #MalwareAttack #ExternalTenants #SecurityControls #RemediationOptions