{"id":69618,"date":"2023-08-07T11:21:56","date_gmt":"2023-08-07T03:21:56","guid":{"rendered":"https:\/\/version-2.com\/?p=69618"},"modified":"2023-07-31T11:30:02","modified_gmt":"2023-07-31T03:30:02","slug":"intruder-from-within-or-is-it","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2023\/08\/intruder-from-within-or-is-it\/","title":{"rendered":"Intruder from within, or is it?"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

<\/h4>

Red Team members found a way to misuse MS Teams to deliver malware to an organization. <\/em><\/p>

If you had to pinpoint one thing that has in recent years changed the way we interact with our work colleagues, it would be Microsoft Teams<\/a>, a cloud-based business communication platform developed by Microsoft as part of the Microsoft 365 family of products. It gives space for video calls, file storage, workspace and, most commonly, chatting.<\/p>

The platform\u2019s popularity skyrocketed during the pandemic, when not only companies, but also universities, schools and other organizations used MS Teams for their day-to-day work interactions. In 2023, Microsoft teams monthly users have climbed up to 280 million active users<\/a>, with most of the users being of working age. MS Teams and the many apps embedded on the platform, however convenient, have recently faced their own cybersecurity reckoning, proving that cloud security solutions are more relevant than ever.<\/p><\/div>

Try ESET Cloud Office Security <\/a><\/span><\/div>

Trouble in paradise
<\/strong>
Due to the platform\u00b4s growing number of users, MS Teams has attracted the attention of not only cybersecurity experts but also criminals. Members of the Red Team at UK-based security services provider Jumpsec<\/a>discovered a way to deliver malware using Microsoft Teams<\/a> with an account outside the target organization.<\/p>

What they discovered is that it is quite easy to misuse the platform\u2019s \u201cexternal tenants\u201d communications functionality. On its own, enabling external MS Teams profiles to directly contact people within an organization could be misused for social engineering and phishing attacks, but Jumpsec found an even more powerful method, one that allows sending a malicious payload directly to the target\u2019s inbox.<\/p>

Even though Microsoft Teams has client-side protection, the Red Team members found a way to go around the restriction by changing the internal and external recipient ID in the POST request of a message. That way, they were able to fool the system into thinking an external user was in fact in internal account. The message would then appear on the recipient\u2019s device as coming from an internal account; therefore, any subsequent social engineering attempts wouldn\u2019t face intense scrutiny. This method, bypassing the existing security measures, gives attackers an easy way to introduce threats to organizations using MS Teams.<\/p><\/div>

ECOS caters to a wide range of users from SoHo, SMB, and both MSPs and Enterprise. <\/em><\/div><\/div>

The story continues <\/strong><\/p>

Unfortunately, according to Microsoft\u00b4s guidelines, this bug does not classify as urgent, and had been left unresolved. In response, a Red Team member of the US Navy published <\/a>a tool called TeamsPhisher<\/a> that leverages the issue.<\/p>

The tool is Python-based and enables an automated attack where the attacker sends the malware via an attachment, complete with a message and a list of targets (Teams users). It will automatically upload the attachment to the sender\u00b4s SharePoint and then iterates through the list of targets. It will first verify the existence of the targets and their ability to receive external messages. This is a requirement for the attack vector to be successful. It then creates a new thread with the target and sends a message with a SharePoint link.<\/p>

After the deployment of the attack, the tool gives the attacker an option to verify the target list and check the appearance of the message.<\/p>

The issue allowing TeamsPhisher to exploit the platform remains unresolved on Microsoft\u2019s side. According to the Jumpsec researchers<\/a>, Microsoft\u2019s position is that it does not meet the bar for immediate mitigation. However, while the attack tool was created for authorized Red Team operations, threat actors can leverage it to deliver malware to targeted organizations without being easily noticed.<\/p>

Our recommendations for safer cloud-based services use: <\/strong><\/p>