Security experts from the US Navy have created a tool called TeamsPhisher to exploit a recently discovered vulnerability in Microsoft Teams. This flaw allows files sent from external accounts to be received in an organization’s inbox, bypassing the intended prohibition. The tool takes advantage of this vulnerability by tricking Teams into thinking that the external file has been sent from an internal account.
Exploiting the Flaw: TeamsPhisher, written in Python, automates the attack process. Users need to write a message, attach the file, and provide a list of targets. The tool identifies targets with external message reception enabled and specifically attacks those accounts. It also bypasses the “Someone outside your organization messaged you, are you sure you want to view it” prompt to reduce suspicion.
Functionality and Requirements: TeamsPhisher requires targets to have Microsoft Business accounts with Teams and Sharepoint licenses, which many companies using Teams possess. The tool can delay messages to avoid rate limits and records its activities in a log file. By leveraging social engineering, the tool can deliver malware to Teams users with external messaging enabled.
Microsoft’s Response and Recommendations: Microsoft has not yet addressed the vulnerability, stating that it does not require immediate attention. The company acknowledges the existence of TeamsPhisher and advises users to exercise caution when receiving links or attachments. Users can disable external messages or choose to communicate only with trusted domains by adjusting their settings in the Microsoft Teams Admin Center.
The US Navy’s development of TeamsPhisher highlights a flaw in Microsoft Teams that allows files from external accounts to bypass restrictions and enter an organization’s inbox. This tool demonstrates the potential for malicious actors to exploit the vulnerability and deliver malware to Teams users. While Microsoft has not prioritized immediate action, users are encouraged to exercise caution and adjust their settings to mitigate the risk of receiving malicious links or attachments. Microsoft’s response and future resolution of the issue remain to be seen.
