The Navy does a lot of stuff that, ostensibly, has nothing to do with ships and submarines. One of them is information security research and the latest batch shows how some recent bugs discovered in the Microsoft Teams communication suite can be exploited. “TeamsPhisher,” as the experimental tool is called, can be used to send attachments throughout a Teams group from an outside source, potentially infecting an entire company without any security clearance.
The Python-based tool was published by Alex Reid of the Navy’s Red Team, a group that simulates attacks on vital infrastructure and suggests methods for mitigating the risks. Using multiple publicly-known flaws in Teams, the software package can access a Teams group as a member of an outside organization, then send messages and attachments to multiple members of an organization’s internal Team. The only prerequisites are that at least one of the users have a Microsoft Business account and Sharepoint installed.
According to BleepingComputer, the system can be used to implement fairly standard phishing or infection techniques. There are even ways to refine an automated attack like making files appear specific to the user or making messages appear with a timed delay so they’re not obviously bot-generated. Once the messages and files are spread, it would be trivial for an attacker to gain remote access to Windows systems without some fairly robust extra security in place.
The vulnerabilities utilized by TeamsPhisher are known and acknowledged by Microsoft, but there’s currently no plan for them to be addressed. “We’re aware of this report and have determined that it relies on social engineering for it to be successful,” a spokesman told BleepingComputer. Reid suggests that Teams users block external domains to prevent this kind of attack.