A newly discovered vulnerability in Microsoft Teams allows an external account to deliver malware directly to targets.

Microsoft Teams is one of the most widely used corporate messaging platforms on the market, making it a tempting target for bad actors. According to Max Corbridge and Tom Ellson, researchers at security firm Jumpsec, the app has a major vulnerability that could allow bad actors to deliver malware to a target organization.

The researchers say bad actors are looking for new ways to deliver malware to organizations as security measures are increasingly tightened, limiting traditional delivery methods. Microsoft Teams External Tenants is providing a novel way to do just that. The feature allows users outside an organization to communicate with internal employees. Teams does block users from sending files to users in another company, but Jumpsec’s researchers found a way to circumvent that.

The exploit involves hosting a malware file on a Sharepoint domain before sending it to the target inbox. Because the file is hosting on a Sharepoint domain, it will appear in the target’s inbox as a file not a link, undermining years of training employees not to click on links in messages.

The researchers outline why this is such a major concern:

The true reason I see this to be a potentially lucrative avenue for threat actors to deliver payloads is the fact that this bypasses nearly all modern anti-phishing security controls mentioned in the introduction of this advisory.

Firstly, it is very straightforward to buy a domain similar to your target organisations and register it with M365. It avoids the need to use mature domains, with web servers, landing pages, CAPTCHAs, domain categorisation, and URL filtering. This is a huge time saver, as this can cost several days or more on a red team engagement when setting up the various bits of infrastructure needed for a convincing phishing campaign.

Secondly, it avoids the now-rightfully-dangerous act of clicking on a link in an email, something that staff have been trained to avoid for years now, greatly reducing the likelihood of a typical staff member detecting this as a phishing attack. The payload will now be served by a trusted Sharepoint domain, and will arrive in the form of a file in a target’s Teams inbox. As such, the payload inherits the trust reputation of Sharepoint, not a malicious phishing website.

Finally, when this vulnerability is combined with social engineering via Teams it becomes very easy to start a back-and-forth conversation, jump on a call, share screens, and more. By comparison, it makes social engineering via email feel very stagnant, and stop-start. When using this on a real engagement the pretext of an IT technician was used to ask the target if they could jump on a call to update some critical software. Once on the call this vulnerability was leveraged to deliver a payload and, when combined with a full social engineering attack, was implicitly trusted by the target.

Jumpsec notified Microsoft of the issue, and the company agreed it was a vulnerability, but said it ‘did not meet the bar for immediate servicing.’ Since Microsoft has no plans to address the issue, the security firm recommends that companies change their Teams settings, where possible, to eliminate contact without outside organizations, or to limit contact to a pre-approved list of outside companies.

In addition, since limiting contact may not be possible, companies should expand their training to educate their staff of these new kinds of threats.