Microsoft Teams’ GIFShell Attack

The newly published GIFShell attack method, which occurs through Microsoft Teams, is a perfect example of how threat actors can exploit legitimate features and configurations that haven’t been correctly set.

Discovered by Bobby Rauch, the GIFShell attack technique enables bad actors to exploit several Microsoft Teams features to act as a C&C for malware, and exfiltrate data using GIFs without being detected by EDR and other network monitoring tools.

Once the stager is in place, the threat actor creates their own Microsoft Teams tenant and contacts other Microsoft Teams users outside of the organization.This attack process needs a device or consumer that is by now compromised.

The principal ingredient of this attack lets an attacker to make a reverse shell that provides destructive commands through base64 encoded GIFs in Groups, and exfiltrates the output by way of GIFs retrieved by Microsoft’s very own infrastructure.

How does it work?

To develop this reverse shell, an attacker should initial compromise a personal computer to plant the malware — which usually means the negative actor requirements to convince the consumer to put in a malicious stager, like with phishing, that executes instructions and uploads command output by using a GIF url to a Microsoft Teams web hook.
When the stager is in put, the threat actor creates their very own Microsoft Teams tenant and contacts other Microsoft Teams customers outside of the organization.
The danger actor can then use a GIFShell Python script to deliver a information to a Microsoft Teams consumer that incorporates a specifically crafted GIF. This genuine GIF graphic has been modified to consist of instructions to execute on a target’s equipment.
When the focus on gets the message, the concept and the GIF will be saved in Microsoft Team’s logs. Significant to take note: Microsoft Groups operates as a track record system, so the GIF does not even need to have to be opened by the person to acquire the attacker’s commands to execute.
The stager displays the Teams logs and when it finds a GIF, it extracts and runs the instructions.
Microsoft’s servers will join again to the attacker’s server URL to retrieve the GIF, which is named employing the foundation64 encoded output of the executed command.

As documented by Lawrence Abrams in BleepingComputer, Microsoft agrees that this attack method is a issue, nevertheless, it “does not satisfy the bar for an urgent security correct.” They “could acquire action in a long term release to enable mitigate this technique.” Microsoft is acknowledging this research but asserting that no security boundaries have been bypassed.