#SecTorCa: How One Malicious Message Could Exploit an Enterprise

Written by

Following the global transition to remote working that began in March of this year due to the COVID-19 pandemic, Omer Tsarfati, cybersecurity researcher at CyberArk Labs, found himself using Microsoft Teams more than ever before.

Being a security researcher, Tsarfati wanted to make sure the software he was using was actually secure – which it wasn’t. In fact, he and his teams discovered a critical flaw that could have potentially enabled an attacker to intercept messages across a company and possibly even launch broader attacks. The flaw was patched by Microsoft in April with few concrete details, however, Tsarfati explained the whole incident with new information in a session at the SecTor security conference.

Tsarfati explained that Microsoft Teams is a deeply integrated technology that connects with both Microsoft and non-Microsoft technologies. The integration with different technologies includes the use of access credentials known as OAuth tokens that authenticate the user with the given technology.

What Tsarfati and his team were able to discover was that Microsoft was using an authentication configuration approach that created a source of vulnerability, such that one malicious message could enable an attacker to gain access to multiple systems and user information.

How the Exploit Works

Tsarfati explained that one way to trigger the exploit would be to send a victim an email with a malicious link, which would then drop a cookie on the user’s system. That cookie could then read improperly configured information in Microsoft Teams to gain access to connected systems, including Outlook and Sharepoint.

He noted that organizations train employees not to click on links, as phishing is a known risk, so instead his team came up with a non-invasive approach to get the malicious cookie onto a victim’s system. That’s part of what was disclosed in Apri; a malicious GIF image that could be used to exploit Microsoft Teams.

Tsarfati said that simply by visiting a page in a web browser that has a malicious GIF image embedded in it, an attacker could pass the bad cookies to an endpoint and gain unauthorized access to other services. Adding further insult to injury, he noted that an attacker could also then further weaponize the vulnerability by spreading it to other users and across an organization’s network.

While Microsoft has patched the issue, Tsarfati was asked if other collaboration tools beyond Teams might have similar risks. He noted that it’s highly likely that is possible, if researchers take the time to look.

Though Microsoft has patched the issue, Tsarfati recommended that users remain vigilant. When sharing any confidential information, he suggested not sharing in the open in an email or in a document. According to Tsarfati, any sensitive and confidential information should always be encrypted to help prevent unauthorized access and limit risk.

What’s hot on Infosecurity Magazine?