Single Malicious GIF Opened Microsoft Teams to Nasty Attack

When I skimmed this I saw ‘fixed’ so was about to skip to the next story. Reading a little deeper you can see it’s been ‘fixed’ by some DNS changes which mitigate against the exploit, but the underlying authentication mechanism is still there waiting for the next mis-configured DNS record…:

Microsoft has fixed a subdomain takeover vulnerability in its collaboration platform Microsoft Teams that could of allowed an inside attacker to weaponized a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts.

The attack simply involved tricking a victim into viewing a malicious GIF image for it to work, according to researchers at CyberArk who also created a proof-of-concept (PoC) of the attack.

Microsoft neutralized the threat last Monday, updating misconfigured DNS records, after researchers reported the vulnerability on March 23.

“Even if an attacker doesn’t gather much information from a [compromised] Teams’ account, they could use the account to traverse throughout an organization (just like a worm),” wrote Omer Tsarfati, CyberArk cyber security researcher, in a technical breakdown of its discovery Monday. “Eventually, the attacker could access all the data from your organization Teams accounts – gathering confidential information, competitive data, secrets, passwords, private information, business plans, etc.”


Original article here