Security researchers from UK-based Jumpsec found a way to deliver malware through Microsoft Teams, bypassing the app’s restrictions on external files.

Attack Method

A vulnerability in Microsoft Teams is exploited by exploiting its default configuration, which allows communication with external tenant accounts. Researchers discovered that sending a malicious payload directly to a target’s inbox is a more powerful approach to social engineering and phishing attacks than just using the communication bridge alone. This new attack vector will allow malicious actors to bypass Microsoft’s security measures and gain access to their accounts. It is important for users to be aware of this vulnerability and take the necessary steps to secure their accounts.

Although Microsoft Teams has client-side protections in place to block file delivery from external tenants, the researchers found a way to circumvent these restrictions by manipulating the internal and external recipient IDs in a POST request, tricking the system into treating an external user as an internal one.

This technique hosts the payload on a SharePoint domain, but it appears as a file rather than a link in the target’s inbox. Through a covert red team engagement, the researchers demonstrated how the attack can bypass existing security measures and anti-phishing training.

As an added bonus, if an attacker registers a domain similar to the target organization’s on Microsoft 365, the messages will seem to originate from the internal source, increasing the likelihood that the target will download the file.

The researchers promptly reported their findings to Microsoft, but the company responded that the issue does not meet the bar for immediate servicing, indicating that it does not consider it a high-priority vulnerability.

Organizations using Microsoft Teams and not requiring regular communication with external tenants are advised to disable this feature from the Microsoft Teams Admin Center. If external communication channels need to be maintained, organizations can define specific domains in an allow-list to mitigate the risk of exploitation.

Additionally, the researchers have requested Microsoft to add external tenant-related events to the software’s logging, which could help prevent such attacks in real-time. Users can support this request to urge Microsoft to take action on the vulnerability.

Microsoft’s response

The researchers reported their findings to Microsoft, assuming that the impact was significant enough to guarantee an immediate response from the tech giant.

Although Microsoft confirmed the existence of the flaw, the reply was that “it does not meet the bar for immediate servicing,” meaning that the company does not see an urgency in fixing it.

BleepingComputer has also contacted Microsoft to ask when they plan to fix the issue and whether its severity has been reconsidered but we have not received a response by the time of publishing.

The recommended action for organizations that use Microsoft Teams and do not need to maintain regular communication with external tenants is to disable this feature from “Microsoft Teams Admin Center > External Access.”

If external channels of communication need to be maintained, organizations can define specific domains in an allow-list, to lower the risk of exploitation.

Jumpsec’s researchers also submitted a request to add external tenant-related events in the software’s logging, which could help prevent attacks as they unfold, so vote this up if you want to contribute to pressing Microsoft to take action.