US Navy-developed tool exploits Microsoft Teams flaw to send malware

US Navy red team member Alex Reid has published a tool that exploits a vulnerability in Microsoft Teams to sidestep restrictions for incoming files from outside a user’s organisation.

Dubbed TeamsPhisher, the tool was created for penetration testers who play the role of the enemy — the red team. However, malicious actors could use it to send malware to Microsoft Teams users at a targeted organisation.

Effectively, the tool tricks Microsoft Team’s client-side protections into viewing an external user as internal by modifying the ID in the POST request of a message, and the Python-based tool is fully automated.

“Give TeamsPhisher an attachment, a message, and a list of target Teams users,” its description reads.

“It will upload the attachment to the sender’s Sharepoint, and then iterate through the list of targets.”

TeamsPhisher first confirms the targeted user’s existence and ability to receive external messages before creating a new thread with the target and sending a Sharepoint attachment link.

The tool only works for users with a Microsoft Business account with an authentic Teams and Sharepoint licence.

However, this is common for many prominent companies, and the exploit even works against accounts protected by Multi-Factor Authentication.

In addition to offering a preview mode to let users verify targets and preview messages from the recipient’s perspective, TeamsPhisher also includes other features and arguments that could bolster an attack.

These include sending file links that can only be opened by the targeted recipient, specifying delays between sending messages to avoid rate limiting and noting outputs in a log file.

Now read: Information Regulator tests its teeth — slaps Department of Justice with R5 million fine