June 29th, 2023 – Microsoft Teams Default Configurations allows Malware Delivery and Bypasses Payload Delivery Security Controls
Researchers Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC Labs’ Red Team discovered a way to exploit the Microsoft Teams External Tenants feature. Using this feature they can sneak malware into files sent to an organization’s employees directly while bypassing nearly all modern anti-phishing protections. This blog post contains the details.
“This vulnerability affects every organization using Teams in the default configuration,” Corbridge wrote in the post. “As such it has huge potential reach and could be leveraged by threat actors to bypass many traditional payload delivery security controls.“
Introducing malware into target organizations is increasingly difficult due to the improved security measures which stop traditional payload types (.exe files and Office Macros). Phishing, a common payload delivery method, is closely monitored and secured these days. This makes it very hard for threat actors to reach end-user devices.
Various security controls such as mail security, IP blocklists, domain reputation, email content inspection, and URL filtering must be bypassed for a phishing campaign to deliver malware successfully into a target’s inbox. In light of these obstacles, threat actors are seeking alternative avenues for payload delivery. One such avenue that has been overlooked until now is Microsoft Teams External Tenants. With Microsoft Teams so widely adopted (including 91% of the Fortune 100), its default configuration allows external users to communicate directly with your staff members. This creates a new opportunity for social engineering and malware payload delivery.
Microsoft Teams Default Security:
If your company does not need to communicate with external tenants, then this feature can be disabled by going to Microsoft Teams Admin Center > External Access and disabling external tenant communications.
If however, your company does communicate with external entities, the reality is those entities will need to be added to an allow list and all others will be set to “Blocked”. The process of granting access into one’s network must be reviewed by IT and change management and approved manually, added to the allow lists in Teams configuration. Any other option represents too great a risk of successful malware attack on your employees.