Wicked GIFs – Capture Microsoft Teams accounts with extracted images

Security researchers have found a vulnerability in the Microsoft Teams online collaboration platform, which can be used to manipulate another user’s login session using tampered images. An attacker can hijack third-party user accounts simply by showing the owners of these accounts a specific GIF. This attack could also be carried out automatically, for example to attack all the computer accounts of a complete organization and to access confidential information, internal company data and passwords. Microsoft has said it has closed the gap and has so far been unable to detect such attacks in practice.

The attack is not easy to implement

This may also be due to the fact that carrying out the attack successfully is not entirely trivial. First, an attacker must obtain a GIF in the team chat. Either because you already have access to an organization team account (for example, through guest access) or because you can convince the account holder to post a GIF created by the attacker in the chat. Also, and this is probably more difficult, the attacker needs control of a subdomain on teams.microsoft.com: Large companies have subdomains that are often forgotten and vulnerable to attack in one way or another. And also in the past, Microsoft researchers found hundreds of subdomains that could be hijacked by incorrect DNS settings.

CyberArk security company, Those who discovered this attack on Microsoft computers found two domains that interested them: aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com could be hijacked and misused for the purposes of researchers. By redirecting traffic from these domains to their own servers, they managed to get Microsoft Teams to send them the session tokens of the users who viewed the malicious GIF. Every time a user views this GIF, researchers receive session tokens for an hour to access their teams’ accounts.

Perfect for CEO fraud

Such a breach theoretically would allow attackers to fight across an entire company and access tons of sensitive data, such as trade secrets or passwords for the organization’s IT infrastructure. Such an attack is also ideal for CEO Fraud. It hijacks accounts until you have control over a high-level employee’s computer account, and then orders to transfer funds or provide financial information. With calendar functionality built into teams, such scams can be tailored to the organization’s daily work to attract less attention. Especially now that more and more companies are switching to Microsoft computers and similar services and almost all employees are working in the home office, such attacks have a particularly high probability of success.

Microsoft appears to have closed the gap by securing the relevant subdomains. The company is also in the process of strengthening its collaboration software against similar attacks. However, CyberArk believes that a similar attack would likely continue to work if the attacker manages to take control of a teams.microsoft.com domain despite precautions.

(fabulous)