HQ/EMEAFind out how we can help your business
The United States Navy’s red team has revealed a malicious tool called TeamsPhisher that could leverage a flawed Microsoft Teams to avoid restrictions for incoming files from users outside a targeted entity.
Based on reports, an attacker could use the tool to bypass Microsoft Team’s file-sending restraints to deliver malware from an external account. This process is possible since the app has exploitable client-side protections that could allow an external user to be an internal one by altering the ID in the POST request of a message.
TeamsPhisher is a tool inspired by a couple of tools that have proven to be an efficient kit.
According to investigations, TeamsPhisher is a Python-based tool that could enable its operators to execute a fully automated attack. The tool developers adopted the attack strategy of a researcher and authentication and helper functions from another phishing tool.
Researchers stated that the TeamsPhisher could propagate if it has an attachment, a message, and a list of targeted MS Teams users. The process will start by uploading the attachment to the sender’s Sharepoint and then iterating through the target list.
Next, TeamsPhisher verified the target user’s existence and capability to accommodate external messages, which is a primary requirement for an attack to work. The newly discovered tool could generate a new threat to the target and send them a message with a Sharepoint attachment link. Subsequently, the threat will appear in the sender’s Teams interface for possible manual interaction.
Furthermore, TeamsPhisher will require users to have an MFA-supported MS Business account with a valid Sharepoint and Teams license, which is typical for several major companies.
The tool also provides a “preview mode” to help targeted users verify the set target lists and check messages’ appearance from the recipient’s perspective.
Lastly, TeamsPhisher could refine an attack process through other features and operational arguments. These alterations could include sending secure file links that could only be viewed by the specified recipient, which could only be executed by an attacker by selecting a delay between message transmissions to avoid rate limiting and coding outputs to a log file.
