Microsoft Teams: The TeamsPhisher tool exploits its bug

The “TeamsPhisher” cybersecurity tool provides a means for both pen testers and malicious actors to send harmful files directly to a Teams user via an external account or tenant

Attackers can now exploit a recently revealed vulnerability in Microsoft Teams by using a new tool available on GitHub to distribute malicious files to specific Teams users within an organization automatically.

The achievement is possible thanks to the protections provided by application. However, these protections can be tricked, allowing an external user to be treated as an internal user simply by changing the identifier in a message’s POST request.

TeamsPhisher tool

TeamsPhisher utilizes a method that was recently disclosed by two JUMPSEC Labs researchers to bypass a security feature in Microsoft Teams. The messaging platform prohibits users from sharing files between different organizations, although communication between its users is possible.”

According to the description provided by Alex Reid, the developer of the red team, TeamsPhisher can be given an attachment, a message, as well as a list of target users on Teams. Subsequently, it will upload the attachment to the sender’s Sharepoint and proceed to cycle through the list of targets.

It then creates a new thread to send them a message that includes a Sharepoint attachment link. The thread appears in the sender’s Teams interface for possible manual interaction.

To use TeamsPhisher, you need to have a Microsoft Business account with a valid license for Teams and Sharepoint. This is something that is usually required by large businesses. MFA mode is also supported.

The tool has a “preview mode” that helps users confirm their target lists and check how the messages will appear from the recipient’s perspective.

TeamsPhisher has the potential to enhance its attack capabilities through increased configurability and the inclusion of optional parameters. By incorporating these improvements, secure file links that are exclusively accessible to the intended recipient can be generated. Furthermore, the ability to specify a time interval between message transmissions can prevent system overload. Lastly, the option to record expenses in a designated file allows for efficient financial tracking.

Despite the existence of the TeamsPhisher issue, Microsoft informed Jumpsec researchers that immediate assistance would not be feasible at the present time.