![]() The malicious payload is delivered into a target’s Microsoft Teams inbox, as a file for download (Source: Jumpsec) Microsoft Teams as a vehicle for malware delivery Once on the call this vulnerability was leveraged to deliver a payload and, when combined with a full social engineering attack, was implicitly trusted by the target.” “When using this on a real engagement the pretext of an IT technician was used to ask the target if they could jump on a call to update some critical software. “When this vulnerability is combined with social engineering via Teams it becomes very easy to start a back-and-forth conversation, jump on a call, share screens, and more,” Corbridge noted. The incoming message will be tagged with an “External” banner and the target will be warned to be extra careful when interacting with this “external” user, but a significant percentage of employees will likely ignore the warning. The malicious party could further increase the probability of a successful attack by registering a domain similar to the target organization’s domain, registering it with M365, and using an email address that mimics the address of a known member of the target organization. This allows the external tenant/attacker to send a malicious payload that will appear in the target’s inbox as a file for download. “Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request,” they explained. These external users (tenants) by default can’t sent files to employees of another organization, but the client-side security controls that disallow this can be bypassed, Corbridge and fellow researcher and Jumpsec’s Head of Offensive Security Tom Ellson discovered. ![]() There’s a reason for that: they may want and need to allow communications via Teams with members of other organizations, service providers, and so on. ![]() Many organizations have permissive security controls that allow external tenants (M365 users outside the organization) to message their employees. With a social engineering pretext to prime the target, a malware delivery attack exploiting this vulnerability has a considerable chance of success. “Organisations that use Microsoft Teams inherit Microsoft’s default configuration which allows users from outside of their organisation to reach out to their staff members,” Jumpsec researcher Max Corbridge explained. Security researchers have uncovered a bug that could allow attackers to deliver malware directly into employees’ Microsoft Teams inbox.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |