Researchers found a severe security vulnerability in Microsoft Teams that allows malware distribution. Specifically, an IDOR vulnerability riddles Microsoft Teams, permitting malicious file delivery from external sources. Exploiting the vulnerability risks organizations using Microsoft Teams for routine work.
Microsoft Teams IDOR Vulnerability
According to a recent advisory from JUMPSEC Labs, two researchers, Max Corbridge, and Tom Ellson, discovered the malware-introducing IDOR vulnerability in Microsoft Teams’ latest version.
As explained, their researchers noticed the flaw with the default Microsoft Teams configuration that allowed bypassing client-side security controls. In turn, it allowed an adversary to deliver malware via maliciously crafted files to a target user, tricking the user into accepting the file from external tenants.
Although, an incoming message from an external tenant usually comes with a warning banner clearly mentioning the external sender. However, despite being a clear alert, users often ignore such prompts and interact with incoming messages. That’s where the attackers succeed in attacking the target systems with malware.
But Microsoft Teams prevents such threats by restricting easy interactions via client-side controls, particularly regarding file delivery, from external tenants.
However, JUMPSEC researchers could bypass those security controls using a traditional IDOR technique. The researchers switched the internal and external recipient ID on the POST request, usually at /v1/users/ME/conversations/<RECIPIENT_ID>/messages
. Next, the malware actually hosted on a SharePoint domain appears as a file to the victim user instead of a link. Hence, the target user will likely download the malware without any warnings.
This technique typically bypasses almost all existing anti-phishing measures. Hence, it posed a huge threat to organizations, where potential attackers could abuse Microsoft Teams to target their networks.
Recommended Mitigations Until (And If) A Fix Arrives
Following this discovery, the researchers reported the vulnerability to Microsoft. While the tech giant acknowledged the bug’s legitimacy, it did not consider it to “meet the bar for immediate servicing“.
That means the vulnerability still exists and threatens the organizations. Therefore, the researchers advise Microsoft Teams users to remain careful when interacting with emails from external tenants. This includes implementing everything from reviewing external tenant permission to message the firm’s staff to maintaining allow-lists for trusted external tenants and training the staff for tackling such threats.
Let us know your thoughts in the comments.
1 comment
Have you reported to Microsoft/ relevant channels? Or just informing the users?
Comments are closed.