IDOR Vulnerability Leaves Teams Tenants with Default Settings Open to Attack by TeamsPhisher Tool
Late last month, a Teams vulnerability was described by researchers at JUMPSEC. The vulnerability allows adversaries to bypass security controls that prevent external users from sending files (including malicious files) to users inside your organization. While Microsoft has verified the vulnerability, they’ve stated it doesn’t “meet the bar for immediate servicing.” Fast forward to this week, and a new tool called TeamsPhisher was published to GitHub on July 3 by Octoberfest7 (Alex Reid, a US Navy Red Team technical lead). TeamsPhisher builds on JUMPSEC’s Teams findings by facilitating the sending of malicious files outside of one’s own M365 tenant.
With this tool readily available now, the good news is that this is a problem you can remediate on your own as a Teams admin. Since the attack relies on communication from external entities, you can follow the CISA guidance for external access in teams and either shut off external access altogether, or you can make an allow-list to only allow external communications from approved domains. Steps for both actions can be found in our article on Teams Security Baselines #4: External User Access.