Single Malicious GIF Opened Microsoft Teams to Nasty Attack

microsoft teams

Now patched flaw allowed attacker to take over an organization’s entire roster of Microsoft Teams accounts.

Microsoft has fixed a subdomain takeover vulnerability in its collaboration platform Microsoft Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts.

The attack simply involved tricking a victim into viewing a malicious GIF image for it to work, according to researchers at CyberArk who also created a proof-of-concept (PoC) of the attack.

Microsoft neutralized the threat last Monday, updating misconfigured DNS records, after researchers reported the vulnerability on March 23.“Even if an attacker doesn’t gather much information from a [compromised] Teams’ account, they could use the account to traverse throughout an organization (just like a worm),” wrote Omer Tsarfati, CyberArk cyber security researcher, in a technical breakdown of its discovery Monday. “Eventually, the attacker could access all the data from your organization Teams accounts – gathering confidential information, competitive data, secrets, passwords, private information, business plans, etc.”

The attack involves malicious actors being able to abuse a JSON Web Token (“authtoken”) and a second “skype token”. The combination of these two tokens are used by Microsoft to allow a Teams user to see images shared with them – or by them – across different Microsoft servers and services such as SharePoint and Outlook.

The weakness is in the application programming interfaces (APIs) used to facilitate the communication between services and servers, Tsarfati said. The TL;DR version of the hack is, Microsoft validates the cookie called “authtoken” and “skype token” via *.teams.microsoft.com. Next, researchers were able to isolate and manipulate the tokens for the PoC attack.

The “authtoken” and “skypetoken_asm” cookie is sent to teams.microsoft.com – or any sub-domain under teams.microsoft.com to authenticate GIF sender and receiver, Tsarfati wrote.

As part of CyberArks research, they found two insecure Microsoft subdomains “aadsync-test.teams.microsoft.com” and “data-dev.teams.microsoft.com” ripe for takeover.

“If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim’s browser will send this cookie to the attacker’s server, and the attacker (after receiving the authtoken) can create a Skype token. After doing all of this, the attacker can steal the victim’s Teams account data,” the research said.

“Now with both tokens, the access token (authtoken) and the Skype token, [an attacker] will be able to make APIs calls/actions through Teams API interfaces – letting you send messages, read messages, create groups, add new users or remove users from groups, change permissions in groups,” researchers wrote.

The novel aspect of this PoC is that all it takes to trigger the hack is the target of the attack viewing a malicious GIF sent by the rogue Teams user.

“The reason that Teams sets the ‘authtoken’ cookie is to authenticate the user for loading images in domains across Teams and Skype,” explained the researcher. “When the victim opens this message, the victim’s browser will try to load the image and will send the authtoken cookie to the compromised sub-domain.”

This allows the attacker to get their hands on the victim’s “authtoken” and ultimately provides a pathway to access the victim’s Microsoft Teams data.

“The fact that the victim needs only to see the crafted message to be impacted is a nightmare from a security perspective. Every account that could have been impacted by this vulnerability could also have been a spreading point to all other company accounts. The vulnerability can also be sent to groups (a.k.a Teams), which makes it even easier for an attacker to get control over users faster and with fewer steps,” researcher wrote.

Researchers said they worked with Microsoft Security Research Center after finding the account takeover vulnerability on March 23. They said Microsoft quickly deleted the misconfigured DNS records of the two subdomains, which mitigated the problem.

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.