Public Security Announcement: Microsoft Teams Vulnerabilities

What Issues Were Discovered?

Several critical vulnerabilities were discovered in the last few months that affect Microsoft Teams’ desktop application on all platforms, from Microsoft Windows to Linux and Apple macOS operating systems, and could be used by malicious actors to steal employee internal credentials and perform corporate data exfiltration. The “GIFShell” attack points to different Microsoft Teams’ vulnerabilities. By creating a reverse shell, attackers can use GIFs in Teams to deliver malicious commands and exfiltrate sensitive data, all while appearing as legitimate traffic.

Unsecure Credentials Storing

Microsoft Teams is built on Electron, a framework designed to create desktop applications using web technologies; it comes with all the elements used by any common web page, including cookies and session strings. However, Electron does not support encryption or protected file locations by default. Vectra discovered a file that contained active user tokens stored in clear text, without any time of protection. Using these tokens, they could get access to Outlook and Skype APIs, and even more data, including valid authentication tokens and account information. They could even develop an exploit and receive these tokens in clear text, in a chat window.

Should a malicious actors manage to get access into a company network, they could steal these authentication tokens and use them to log into employees’ accounts, de facto impersonating them, and gaining access to all the servers, services, and data (repositories) to which these employees are legitimately entitled.

"GIFShell" attack

This new chain attack would allow an attacker to create a reverse shell, also known as a connect-back shell, on the targeted system, and through it be able to both deliver malicious commands via GIFs in Teams, as well as exfiltrate the corresponding outputs through GIFs retrieved by Microsoft infrastructure itself. Note that it does require to first install a malware stager, a small piece of code that will execute while remaining undetected, reach out back to the attacker to download, and then execute a specific program.

Even if using a top cybersecurity solution inside an organization on all endpoints, all these requests, including data exfiltration, would hardly be detected as happening through Microsoft Teams communication channels, and as such would be identified as legitimate traffic. The ability to cover the exfiltration by mixing it with legitimate traffic is what makes it hardly detected, if not undetectable so far.

How to Protect Your Organization

Both issues were immediately reported to Microsoft upon discovery, but the Seattle-based company replied that they did not yet have any plan to release a fix for any of them, as, in the first case, an attacker would technically first need to gain access to a target network before they could eventually access such authentication tokens, and secondly, they would need to meet their requirements for an urgent security fix. However, these might be addressed in a future release.

However, for those organizations becoming concerned and willing to protect themselves, there are luckily some recommendations to mitigate the risks.

1. Switch to Web Version

The most effective method is to switch to the web version of Microsoft Teams, as it relies on Microsoft Edge to run the application, and thus benefits from additional protections against token leaks. Although it might not be so convenient, most if not all functionalities would remain available to your employees, so the impact would be limited to none.

2. Use Another Solution (When Possible)

For Linux users, the advice is to move to another collaboration suite, as Microsoft announced they would stop supporting the desktop app by December 2022. There are other secure, enterprise-grade messaging and collaboration platforms out there that might fit your organization’s requirements in term of user functionalities and data security, so it might be an opportunity to look and compare.

3. Monitor Your Endpoints

The earlier recommendations may not be possible for all organizations, as the desktop version is a lot more convenient for employees to use rather than the web one. In that case, the recommendation is to closely monitor your endpoints, and specifically the system folders used by Microsoft Teams to correctly operate, using an Endpoint Detection and Response (EDR) solution, to discover suspicious processes and eventually try to access them. Coupled with a state-of-the-art Security Information and Event Management (SIEM) solution like ISEC7 Sphere, it would then send alerts and notifications to the responsible IT security personnel, by email, SMS or even using specific Microsoft Teams channels, so they are aware in real-time and can take remedy actions.

4. Harden Microsoft Teams Security

By default, Microsoft Teams allows external senders (i.e., outside of an organization) to send messages to users from an organization, which is something unknown to most organizations, and one of the “weaknesses” used by this sophisticated attack to exploit. It is, however, possible to harden Microsoft Teams security by disabling external communications. The best and most secure option would be to completely disable communications with external domains, de facto limiting to just the internal domains. However, for companies strongly relying on Microsoft Teams to collaborate with trusted partners and customers, this might not be feasible, so instead such external communications should at least be restricted to only a handful of trusted, predefined external domains.

The discovery of these Microsoft Teams vulnerabilities serves as a reminder to revisit and bolster your infrastructure’s security posture. Remember the best practices when it comes to a solution like Teams: working in the web version as opposed to the desktop version of the app, monitoring your endpoints with a comprehensive SIEM solution, and adjusting your Microsoft Teams security settings to completely disable communications with external domains, if feasible.

No matter the size or how widely deployed your ecosystem is, understanding your business and the operational needs of your cybersecurity solution is paramount in providing the right solution to address your specific vulnerabilities. Please feel free to contact the team at ISEC7, and we can provide an objective assessment of what can address the needs of your organization and/or risk mitigation needed to enhance your current solution.