Researchers have discovered a flaw in the recent update of Microsoft Teams, allowing third-party sources to send files to company employees, usually a blocked activity. This bug opens a less complicated and cheaper path for cybercriminals to introduce malware into targeted firms, bypassing sophisticated phishing campaigns. Notably, Microsoft does not currently intend to address this as a priority.

Max Corbridge and Tom Ellson, from JUMPSEC Labs’ Red Team, identified the loophole within Microsoft Teams’ External Tenants feature. The flaw lets cybercriminals infiltrate malware into files sent to an organization’s employees, avoiding most modern anti-phishing defenses.

According to Corbridge, “This vulnerability affects every organization using Teams in its default configuration.” Cybercriminals could exploit this bug to evade numerous standard security controls for payload delivery, he emphasized.

Microsoft Teams is primarily used for inter-organizational communication. It allows users from outside the company to contact its employees due to Microsoft’s default configuration. This paves the way for cybercriminals to misuse the app for malware delivery. Corbridge and Ellson bypassed client-side security controls within 10 minutes. This prevented external tenants from sending potentially harmful files to internal users. 

A trusted Sharepoint domain serves the malicious payload as a file in the target’s Teams inbox. It inherits the trust reputation of Sharepoint instead of a harmful phishing website.

Upon reporting the bug to Microsoft, the company validated its legitimacy but declared it did not require “immediate servicing.” The researchers suggested mitigations. These include adjusting security settings to limit communication to specific domains and educating staff about potential social engineering risks associated with productivity apps.

If these mitigations are impractical, the researchers suggested that organizations utilize Web proxy logs. These logs can provide alerts or visibility into staff members accepting external-message requests, enhancing their cybersecurity measures.

Despite the simplicity of this approach, the challenge lies in transforming this data into a helpful telemetry tool. Currently, it doesn’t provide specific details such as usernames or the content of the message in question. However, it does offer some insight into the frequency of this type of transaction within an organization. This could be vital information for developing further mitigation strategies.

This discovery urges organizations to take immediate steps to ensure the maximum possible security of their digital communication and file-sharing tools. This includes conducting regular security audits, updating software with the latest patches and security enhancements, and training employees about the potential cybersecurity risks associated with these tools.

This latest flaw highlights organizations’ continuous and evolving threats in today’s digital landscape. As reliance on digital collaboration tools like Microsoft Teams increases, software providers and organizations must stay vigilant and proactive in their cybersecurity efforts to guard against such vulnerabilities.

Microsoft has yet to provide an official statement or response plan concerning the Microsoft Teams flaw discovered by Corbridge and Ellson. As such, organizations are encouraged to implement the suggested mitigations and remain alert to any updates.