The red team of the U.S. Navy has recently introduced a new tool named “TeamsPhisher”. Its primary objective is to exploit a security vulnerability within Microsoft Teams, enabling it to circumvent restrictions on incoming files from external users, specifically those from targeted organizations or external tenants.
Researchers from Jumpsec, have discovered a straightforward method to deliver malware to an organization through Microsoft Teams, utilizing the application’s client-side protections. By modifying the ID in the POST request of a message, the tool can deceive the system into treating an external user as an internal one.
The tool called TeamsPhisher is a Python-based application that offers a fully automated attack approach. It incorporates the attack concept developed by cybersecurity researchers at Jumpsec and utilizes functionalities from the ‘TeamsEnum’ tool. According to Alex Reid, the developer of TeamsPhisher, the tool allows users to provide an attachment, a message, and a list of target Teams users.
It proceeds by uploading the attachment to the sender’s Sharepoint and systematically iterating through the target list. TeamsPhisher begins by enumerating the target users to verify their existence and confirm their ability to receive external messages. Subsequently, it creates a new thread with the target user, resembling a “group” chat. This ingenious technique, suggested by @Medu554, involves including the target’s email twice, effectively bypassing the ‘Someone outside your organization messaged you, are you sure you want to view it’ splash screen, which might raise suspicion. Once the new thread is established between the sender and the target, the specified message, along with a link to the attachment in Sharepoint, is sent to the user.
After the initial message is sent, the created thread becomes visible in the sender’s Teams graphical user interface. If necessary, it can be manually interacted with on a case-by-case basis. This allows for flexibility and customization in handling individual threads as needed.