2 min

A tool developed by cybersecurity experts is exploiting a vulnerability in Microsoft Teams to spread malware to end users.

The US Navy’s Red Team recently developed the TeamsPhisher tool, which allows it to spread malware via a vulnerability in Microsoft Teams. The security vulnerability in question allows it to bypass restrictions on incoming files from users outside an organization, known as external tenants.

Client-side protection features can be manipulated to treat an external user as internal. This can be done simply by changing the ID in a message’s POST request. Then, without restrictions on external participants, files containing malware can be sent.

This vulnerability was discovered by Jumpsec researchers last month and has not yet been addressed by Microsoft.

Operation TeamPhisher

The Python-based tool TeamPhisher enables fully automated attacks. Hackers provide the tool with an attachment, a message and a participant list of Teams users to be attacked, after which TeamPhisher automatically uploads the attachment to the sender’s Sharepoint environment.

Next, TeamPhisher first verifies the existence of the end users to be hacked and whether they can receive external messages. This is a requirement for the hacking method to work.

A new chat or thread is then set up with these end users and a message is sent with the Sharepoint attachment. The thread or chat appears in the victims’ Teams interface for possible manual interaction.

Microsoft’s response

In a response to BleepingComputer, Microsoft says it is rushing to fix this vulnerability because users are primarily susceptible for it through social engineering.

The tech giant advises end users to pursue good computer behavior at all times, such as thinking about clicking on links and opening unknown files.

Tip: Teams goes for compactness and cuts clicks in June