Microsoft Teams Exploit Tool Auto-Delivers Malware

The TeamsPhisher cyberattack tool gives pen testers — and adversaries — a way to deliver malicious files directly to a Teams user from an external account, or tenant.

A new tool is available on GitHub that gives attackers a way to leverage a recently disclosed vulnerability in Microsoft Teams and automatically deliver malicious files to targeted Teams users in an organization.
The tool, dubbed TeamsPhisher, works in environments where an organization allows communications between its internal Teams users and external Teams users — or tenants. It allows attackers to deliver payloads directly into a victims inbox
without relying on a traditional phishing or social engineering
scams to get it there.
Give TeamsPhisher an attachment, a message, and a list of target Teams users, said the tools developer Alex Reid, a member of the US Navys Red Team, in a description of the tool on GitHub. It will upload the attachment to the senders Sharepoint and then iterate through the list of targets.
TeamsPhisher
incorporates a technique that two researchers at JUMPSEC Labs recently disclosed for getting around a security feature in Microsoft Teams. While the collaboration app allows communications between Teams users from different organizations, it blocks the sharing of files between them.
JUMPSEC researchers Max Corbridge and Tom Ellson
found a relatively easy way
to bypass this restriction, using what is known as the Insecure Direct Object Reference (IDOR) technique. As security vendor
Varonis noted in a recent blog post
, IDOR bugs allow an attacker to maliciously interact with a Web application by manipulating a direct object reference such as a database key, query parameter, or filename.
Corbridge and Ellson found they could exploit an IDOR issue in Teams simply by switching the ID of the internal and external recipient when submitting a POST request. The two researchers discovered that when a payload is sent in this manner, the payload is hosted on the senders SharePoint domain and arrives in the victims Teams inbox. Corbridge and Ellson identified the vulnerability as affecting every organization running Teams in a default configuration and described it as something an attacker could use to bypass anti-phishing mechanisms and other security controls. Microsoft acknowledged the issue but assessed it as something not deserving of an immediate fix.
Reid described his TeamsPhisher tool as incorporating JUMPSECs techniques as well as some earlier research on how to leverage Microsoft Teams for initial access by independent researcher
Andrea Santese
. It also incorporates techniques of
TeamsEnum
, a tool for enumerating Teams users, that a researcher from Secure Systems Engineering GmbH had previously released to GitHub.
According to Reid, the way TeamsPhisher works is to first enumerate a target Teams user and verify that the user can receive external messages. TeamsPhisher then creates a new thread with the target user. It uses a technique that allows the message to arrive in the targets inbox without the usual Someone outside your organization messaged you, are you sure you want to view it splash screen, Reid said.
With the new thread created between our sender and the target, the specified message will be sent to the user along with a link to the attachment in Sharepoint, he noted. Once this initial message has been sent, the created thread will be visible in the senders Teams GUI and can be interacted with manually, if need be, on a case-by-case basis.
Microsoft said it is aware of TeamsPhiser and has determined that the tool relies on social engineering to be successful. We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers, the company said in an emailed statement.
Microsoft did not directly respond to a Dark Reading question on whether the release of TeamsPhiser had changed its stance on releasing a patch and/or guidance for affected users. Instead, the company pointed to its
Microsoft Security Servicing Criteria webpage
. The page describes the criteria the Microsoft Security Response Center (MSRC) uses to determine whether a reported vulnerability affecting currently supported versions of affected software might be updated/patched or addressed in the next version of the affected software.
JUMPSEC itself has urged organizations using Microsoft Teams to review whether there is any business need for enabling communications between internal Teams users and external tenants.
If you are not currently using Teams for regular communication with external tenants, tighten up your security controls and remove the option altogether, the company has advised.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Teams Exploit Tool Auto-Delivers Malware