Researchers have uncovered a vulnerability that could allow attackers to deliver malware directly into employees’ Microsoft Teams inbox.
Many organizations have security controls that allow external tenants to message their employees. Members of other organizations, service providers can reach internal users.
These external users by default can’t sent files to employees of another organization, but the client-side security controls that disallow this can be bypassed.
Exploitation of the vulnerability can be performed by using a traditional IDOR technique of switching the internal and external recipient ID on the POST request. This allows the external attacker to send a malicious payload that will appear in the target’s inbox as a file for download.
The attacker could further increase the probability of a successful attack by registering a domain similar to the target organization’s domain, registering it with M365, and using an email address that mimics the address of a known member of the target organization.
The incoming message will be tagged with an “External” banner and the target will be warned to be extra careful when interacting with this “external” user, but a significant percentage of employees will likely ignore the warning.
This tactic sidesteps nearly all modern anti-phishing security controls, and particularly those related to email.
Researchers notified Microsoft of their finding and got a reply stating this vulnerability “did not meet the bar for immediate servicing.”
Organizations should take some extra steps to ensure safety
- Remove the option of external tenants being able to contact employees (if not needed)
- Allow the communication with certain allow-listed domains.
- User training
Microsoft currently doesn’t provide logs that cover potentially malicious events originating from external tenants, and using web proxy logs to alert on staff members accepting external message requests offers very limited insight.