Microsoft Teams Attack Skips the Phish to Deliver Malware Directly

Exploiting a flaw in how the app handles communication with external tenants gives threat actors an easy way to send malicious files from a trusted source to an organizations employees, but no patch is imminent.

A bug in the latest version of
Microsoft Teams
allows for external sources to send files to an organizations employees even though the application typically blocks such activity, researchers have found. This give threat actors an alternative to complex and expensive
phishing campaigns
to deliver malware into target organizations — but Microsoft wont be addressing it as a priority.
Researchers Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC Labs Red Team discovered a way to exploit the Microsoft Teams External Tenants feature to slip malware into files sent to an organizations employees, thus bypassing nearly all modern anti-phishing protections, they revealed in
a blog post
published this week.
This vulnerability affects every organization using Teams in the default configuration, Corbridge wrote in the post. As such it has huge potential reach and could be leveraged by threat actors to bypass many traditional payload delivery security controls.
Teams is Microsofts widely used hosted messaging and file-sharing app, which already was used by an estimated
91%
of Fortune 100 organizations before the Covid-19 pandemic, according to Microsoft
financial data
. During the pandemic, the use of Teams expanded even further, as many organizations came to rely on it to communicate and collaborate with their remote workforce.
Though Teams is typically used for communication between employees within the same organization, Microsofts default configuration for teams allows users from outside the company to reach out to its employees, the researchers said. This is where the opportunity arises for threat actors to exploit the app to deliver malware, they said.
This can be done by bypassing client-side security controls that prevent external tenants from sending files —which in this case, would be malicious — to internal users, the researchers explained.
The vulnerability lies in a capability that allows any
Microsoft Teams
allows user with a Microsoft account to reach out to what are called external tenancies, the researchers explained. In this case, these tenancies would be any business or organization using Microsoft teams, which each have their own tenancy.
Users from one tenancy are able to send messages to users in another tenancy, Corbridge explained. When doing so, an External banner appears alongside the name.
Though some employees might not click on a message from an external source, many would, something that Corbridge said the researchers already proved as part of a red-team engagement aimed at gaining an initial foothold in a clients environment.
This is especially true if the malicious party is impersonating a known member of your organization and has purchased and registered a brand-impersonation domain, as red teams often do, he noted in the post.
Though external tenants in Teams are blocked from sending files to staff in another organization — unlike their ability to send files between employees in a single organization or tenancy — Corbridge said he and JUMPSECs head of offensive security Tom Ellson were able to bypass this control within 10 minutes.
Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request, Corbridge explained in the post. When sending the payload like this, it is actually hosted on a SharePoint domain and the target downloads it from there. It appears, however, in the target inbox as a file, not a link.
The researchers tested their technique in a mature client environment during a red-team exercise last month and confirmed that it allowed for a much more simple, reliable, and user-friendly payload delivery avenue than traditional phishing journeys, he wrote.
The bug provides a potentially lucrative avenue for threat actors because of how straightforward it is for them to deliver malware to organizations without the need to craft socially-engineered email messages with malicious links or files and hope employees take the bait and click on them, Corbridge wrote.
Threat actors can easily buy a domain similar to a target organizations and register it with Microsoft 365, thus setting up a legitimate Teams tenancy and not having to build complex
phishing
infrastructure and then rely on employees already savvy to phishing tactics to make a mistake, he said.
By exploiting the flaw, a malicious payload is served via a trusted Sharepoint domain as a file in a targets Teams inbox. As such, the payload inherits the trust reputation of Sharepoint, not a malicious phishing website, Corbridge wrote.
Threat actors can even use
social engineering
and start a conversation with an employee, which can lead to participation in a Teams call, the sharing of screens, and more, allowing them to conduct even more nefarious activity or even deliver the payload themselves, he added.
The researchers reported the vulnerability to Microsoft, which validated its legitimacy but said it did not meet the bar for immediate servicing, Corbridge wrote.
To mitigate the bug themselves, organizations can review if there is a business requirement for external tenants to have permission to message staff and, if this is not the case, to remove the option to do so in Microsoft Teams Admin Center > External Access.
If an organization does require communication with external tenants but has only a handful of organizations with which employees regularly communicate, administrators can also use this field to change the Team security settings to only allow communication with certain allow-listed domains, the researchers said.
If neither of these mitigation options is viable for an organization, administrators can try educating staff on the possibility of productivity apps such as Teams, Slack, Sharepoint, and others for launching social-engineering campaigns similar to the ones found in email messages to help them avoid compromise.
Organizations can also use Web proxy logs to provide alerts or at least baseline visibility into staff members accepting external-message requests, Corbridge added.
The difficulty, at present, is turning this into a useful piece of telemetry with usernames, and the message in question, but can provide some idea of how common this transaction is within an organization for potential mitigation, he acknowledged.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Teams Attack Skips the Phish to Deliver Malware Directly