I've recently been hearing a lot of buzz around a web request vulnerability within Microsoft Teams. This security flaw allows malicious actors to change and alter the POST request by using an IDOR technique, enabling them to submit files directly to the inboxes of external users. This was initially discovered by security researchers at JUMPSEC. So, of course, I had to test this for myself in my environment to see how this plays out.
By default external tenants are unable to send out any attachments to users at all, unlike sending to members within your own org.
Sending to an external user: Notice there is no option for attaching a file.
Sending to an internal user: Option for attachment is available.
Apparently, 91% of the Fortune 100 inherit Microsoft default configurations which automatically allow users from outside organizations to reach out to the staff members. Which definitely could pose a security risk.
Quick Intro
As I mentioned previously, I learned about this vulnerability not too long ago and did some research to figure out how this simple web request flaw allows malicious users to act on this. So I decided to spin up a couple of test tenants to have more of a deeper understanding of what exactly is going on here.
To best test this, I used Burp Suite, but any other program would work as long as you can intercept the web requests that are being made within Teams.
Gathering Recipient IDs
Internal user
One of the first things that needed to be done was to determine the recipient ID for an internal user within our tenant. To do this, I simply send out the message while intercepting the request through Burp.
The recipient ID is what is inside the actual post request. /v1/users/ME/conversations/<RECIPIENT_ID>/messages
Important to copy and save this somewhere.
External User
Once this is gathered, we can begin to gather the recipient ID for the desired target. Again, begin to send out the message ensuring that the intercept is turned on. We then copy and save the target recipient ID but this time replace it with the internal user.
In doing so, we essentially stop the message from being seen on the external user's (target) side.
Exploiting the vulnerability.
Perfect, now that we have the recipient ID for the external user we can begin to start writing out our phishing message and include our malware as an attachment. The message will be typed out as if we are sending it out to the internal user. We then intercept the request in Burp while sending the message and simply replace the recipient ID with the external user recipient ID.
And Just like that, the message with the file makes its way to the external user's inbox in Teams.
Final Thoughts
I was honestly a bit surprised at how quickly this vulnerability can be replicated and exploited by simply altering the web requests.
This security flaw still hasn't been patched by Microsoft, which is alarming, as many organizations stick to default settings, allowing external contacts to communicate with them. This vulnerability in web requests could easily influence a staff member or user to click on the message and instantly download malware, compromising the organization's private information.
Even though this has currently been noticed specifically in Microsoft Teams, I believe it just goes to show how important it is to be diligent and practice proper security for organizations and companies. Vulnerabilities like this could severely hinder business operations.
Extras
There have also been other researchers who were able to automate this entire process by using Python. (Feel free to check out TeamsPhisher https://github.com/Octoberfest7/TeamsPhisher)