Check Point Email Security | Blog

New Teams Attack Delivers Instant Malware

Written by Jeremy Fuchs | June 29, 2023

A recently discovered vulnerability in Microsoft Teams has opened the door for non-employees to effortlessly send harmful files to employees without undergoing any scanning process.

According to researchers at JUMPSEC, threat actors can essentially bypass any client-side security controls that prevent external tenants to send files.

Hackers are then using this bypass to introduce malware. 

While Microsoft Teams is primarily utilized as an effective means of internal communication within organizations, it also offers the convenience of connecting with external companies. By default, Teams allows individuals outside the company to seamlessly interact with employees, fostering collaboration beyond organizational boundaries.

When an individual from outside the organization makes contact, a conspicuous "external" banner appears at the top of the message. Unfortunately, numerous users tend to overlook this banner, particularly when the attacker is posing as a trusted partner.

In addition, cybercriminals are capitalizing on a vulnerability known as "insecure direct object references" or IDOR, which enables the sender of a file to manipulate the recipient ID, whether internal or external.

This vulnerability essentially allows hackers to bypass all security measures and deliver the harmful payload directly into the user's inbox as a SharePoint file. The scary part is, all it takes is a simple click from the user.

This is similar to an attack we wrote about in 2020. In that attack, a compromised Microsoft Teams account in a partner organization fooled users at a global financial institution into sharing insider information. 

Over time, the ease of sharing malicious payloads has significantly increased. In this latest attack on Teams, all it takes is a simple message to do the trick.

With HEC, if the user has Teams protection in place, we'll sandbox any file and remove it if malware is found. 

In the current landscape, it is imperative to prioritize the security of collaboration applications like Teams. Forrester's latest Wave report emphasizes the importance of extending the same level of protection that is developed for the email inbox to these environments. However, when it comes to robust safeguards against these attacks and more, only Harmony Email & Collaboration delivers the comprehensive defense needed.

To combat attacks like these, simply monitoring activity and flagging it for review is insufficient.

They need to be blocked. With HEC, for chat applications, every file is scanned in a sandbox for malicious content and quarantined as necessary. Links within files and messages are scanned and quarantined.  and the sender is notified For file-sharing apps, we scan all uploaded files for malicious content and block malicious links within files. 

Attacks like this will only increase in amount and severity.

Proactive, preventative security is the only way to go.