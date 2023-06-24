Security researchers have found a simple way to deliver malware to an organization with Microsoft Teams, despite restrictions in the application for files from external sources.

With 280 million monthly active users, Microsoft Teams has been adopted by organizations as a communication and collaboration platform part of the Microsoft 365 cloud-based services.

Given the product’s popularity with various organizations, Max Corbridge and Tom Ellson – members of the Red Team at UK-based security services company Jumpsec, poked around and discovered a way to deliver malware using Microsoft Teams with an account outside the target organization.

Attack details

The attack works with Microsoft Teams running the default configuration, which permits communication with Microsoft Teams accounts outside the company, typically referred to as “external tenants.”

Corbridge explains in a report that while this communication bridge would be enough for social engineering and phishing attacks, the method they found is more powerful as it allows sending a malicious payload directly to a target inbox.

Microsoft Teams has client-side protections in place to block file delivery from external tenant accounts.

However, the two Jumpsec Red Team members found that they could go around the restriction by changing the internal and external recipient ID in the POST request of a message, thus fooling the system into treating an external user as an internal one.