The popular Microsoft Teams online conferencing service has a flaw that could allow a hacker to send out malicious attachments to a Teams group from outside. A member of the US Navy has created a tool that takes advantage of this exploit in an effort to make businesses aware of this issue.
Alex Reid a member of the US Navy’s Red Team, published the tool, which he calls TeamsPhisher, on GitHub. Red Team’s goal, according to PCWorld, is to simulate hacker attacks and then come up with ways for the affected users to fight off these attacks.
The program’s README file offers some info on how the Python-based tool works:
Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender’s Sharepoint, and then iterate through the list of targets.
TeamsPhisher will first enumerate the target user and ensure that the user exists and can receive external messages. It will then create a new thread with the target user. Note this is technically a “group” chat because TeamsPhisher includes the target’s email twice; this is a neat trick from @Medu554 that will bypass the “Someone outside your organization messaged you, are you sure you want to view it” splash screen that can give our targets reason for pause.
With the new thread created between our sender and the target, the specified message will be sent to the user along with a link to the attachment in Sharepoint.
Once this initial message has been sent, the created thread will be visible in the sender’s Teams GUI and can be interacted with manually if need be on a case-by-case basis.
The README File does say that businesses who use Teams can prevent something like TeamsPhisher from accessing its meetings “by managing the options related to external access via the Microsoft Teams admin center under Users -> External access.” Teams admins can choose to set up a “universal block as well as whitelisting only specific external tenants for communications.”
BleepingComputer received a comment from a Microsoft spokesperson about this Teams issue:
We’re aware of this report and have determined that it relies on social engineering to be successful. We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.
Basically, it sounds like Microsoft doesn’t feel like this is a flaw with Teams itself, but that admins and users simply need to not open, click on, or accept files or links they don’t know about. That’s good advice for any online activity.