Studies have shown that malicious code can be triggered in Microsoft Teams by utilising GIFs as the triggers.
Microsoft Teams users can upload GIFs to better communicate their feelings to colleagues. However, fraudsters can use them to execute malicious commands and steal sensitive data without being recognised by antivirus tools.
Bobby Rauch found vulnerabilities in the video conferencing platform that, when chained together, can lead to data exfiltration and malicious code execution.
The attacker must persuade the victim to download and install a malicious stager capable of executing commands and uploading GIF urls to Microsoft Teams web hooks. The stager will scan Microsoft Teams logs, where all received communications are kept and readable by all Windows user groups.
Staging
After setting up the stager, the attacker must create a new Teams tenancy and contact outside members. This isn’t difficult, argues the researcher, because Microsoft allows external connectivity by default. The attacker can deliver a malicious.GIF file that executes commands on the target endpoint using the researcher’s Python script, GIFShell.
The message and.GIF file will wind up in the stager’s logs folder. This utility extracts and runs the.GIF commands. The GIFShell PoC can transform the output to base64 text to name a remote.GIF inserted in a Microsoft Teams Survey Card. The stager sends the card to the attacker’s Microsoft Teams web hook. Microsoft’s servers will then retrieve the.GIF from the attacker’s server URL. GIFShell decodes the filename and sends the command’s output to the threat actor.
The researcher said that attackers can send as many malicious GIFs as they wish. Since the traffic seems to come from Microsoft’s servers, cybersecurity programmes won’t notice it. Microsoft won’t address the findings because they don’t bypass security.
“For 72412, while this is wonderful research and the technical team will improve these areas over time, these all require a compromised target,” Microsoft reportedly informed Rauch.
The product team will analyse the issue for future design adjustments, but the security team won’t track it.