[ad_1]
Security researchers have found a vulnerability in the Microsoft Teams online collaboration platform, which can be used to manipulate another user’s login session using tampered images. An attacker can hijack third-party user accounts simply by showing the owners of these accounts a specific GIF. This attack could also be carried out automatically, for example to attack all the computer accounts of a complete organization and to access confidential information, internal company data and passwords. Microsoft has said it has closed the gap and has so far been unable to detect such attacks in practice.
The attack is not easy to implement
This may also be due to the fact that carrying out the attack successfully is not entirely trivial. First, an attacker must obtain a GIF in the team chat. Either because you already have access to an organization team account (for example, through guest access) or because you can convince the account holder to post a GIF created by the attacker in the chat. Also, and this is probably more difficult, the attacker needs control of a subdomain on teams.microsoft.com: Large companies have subdomains that are often forgotten and vulnerable to attack in one way or another. And also in the past, Microsoft researchers found hundreds of subdomains that could be hijacked by incorrect DNS settings.
Perfect for CEO fraud
Such a breach theoretically would allow attackers to fight across an entire company and access tons of sensitive data, such as trade secrets or passwords for the organization’s IT infrastructure. Such an attack is also ideal for CEO Fraud. It hijacks accounts until you have control over a high-level employee’s computer account, and then orders to transfer funds or provide financial information. With calendar functionality built into teams, such scams can be tailored to the organization’s daily work to attract less attention. Especially now that more and more companies are switching to Microsoft computers and similar services and almost all employees are working in the home office, such attacks have a particularly high probability of success.
Microsoft appears to have closed the gap by securing the relevant subdomains. The company is also in the process of strengthening its collaboration software against similar attacks. However, CyberArk believes that a similar attack would likely continue to work if the attacker manages to take control of a teams.microsoft.com domain despite precautions.
(fabulous)