TeamsPhisher Tool Release by Navy's Red Team

A member of the U.S. Navy’s red team has released ‘TeamsPhisher,’ a tool that exploits an unresolved security flaw in Microsoft Teams, allowing attackers to bypass file restrictions from external users.

The tool tricks Microsoft Teams’ client-side protections into treating an external user as internal, making it easier to deliver malware from an external account, discovered by company Jumpsec.

‘TeamsPhisher’ is Python-based and offers a fully automated attack, combining ideas from security researchers at Jumpsec and techniques from ‘TeamsEnum.’

“The issue that TeamsPhisher exploits is still present and Microsoft told Jumpsec researchers that it did not meet the bar for immediate servicing.”

It verifies target user existence, sends a message with a Sharepoint attachment link, and even offers a “preview mode” to ensure the attack’s effectiveness. They really thought of the red teamers this time, how kind.

“Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender’s Sharepoint, and then iterate through the list of targets,” reads the description from the developer of the red team utility.

TeamsPhisher requires users to have a Microsoft Business account (MFA is supported) with a valid Teams and Sharepoint license, which is common for many major companies.

Microsofts comment: “We’re aware of this report and have determined that it relies on social engineering to be successful. We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”