The malicious use of GIFs and a discovery that authority tokens are being stored as clear text are both new risks for users of Microsoft Teams software application.

A vulnerability in Teams dubbed “GIFShell” has discovered that GIFs can be utilised as a method of sending malicious code and commands to unsuspecting users.

The new attack chain was reported by Bobby Rauch, a pentester and cyber security consultant. Rauch has shared an extensive Proof-of-Concept (PoC) on the methods required to leverage these vulnerabilities starting with the creation of a reverse shell that delivers commands via base64 encoded GIFs.

The threat actor social engineers the user to download a malware executable called the “stager”, that will continuously scan the Teams log files for malicious GIFs containing encoded commands.

Rauch states that this can be carried out via a successful phishing attack.

The data extraction methods are further obfuscated by virtue of the mechanism for the files being transferred.

As they pass through genuine Microsoft owned and managed servers, their movement is unlikely to be detected by anti-virus software as it will appear as legitimate Microsoft Teams traffic.

The second reported issue in Teams gives threat actors access to authentication tokens and accounts even with multi-factor authentication (MFA) activated. It reportedly affects Windows, Linux and Mac versions and allows a threat actor with local access the ability to steal the tokens and create opportunities for unauthorised access to accounts.

Cybersecurity firm Vectra discovered the flaw when researching methods to identify and remove deactivated accounts and in doing so, located an ldb file with access tokens in clear text.

Further analysis found a “cookies” folder containing valid authentication tokens, account information, session data and marketing tags.

Both of these vulnerabilities have been reported to Microsoft, who although acknowledging the research, state that a fix would not be made available yet as “no security boundaries were bypassed” and that a threat actor must already have compromised the network.

With over 270 million users increasingly relying on Microsoft Teams as the main form of Voice over Internet Protocol (VoIP) and messaging communication, these vulnerabilities should not be ignored.

GIFShell demonstrates that as ‘traditional’ phishing techniques using other Microsoft office products (e.g. Microsoft O365 logins) becomes less effective, threat actors will inevitably adopt new tactics or techniques for exploitation.

Microsoft have determined that the reported vulnerabilities are valid, but only if the victim system is already compromised with the installation of malware and thus, do not warrant an immediate patch.

However, the identification of these vulnerabilities should encourage organisations to be aware of exploitation, including any URLs or downloads embedded in media that is sent from an unknown or suspicious account on Microsoft teams, even from within the same wider organisation.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).