The tool, available on GitHub, gives attackers a method to exploit the newly disclosed vulnerability in Microsoft Teams to automatically deliver malicious files to Teams users in an organization.
TeamsPhisher, this is the name of the new tool created by a member of the Red Team of the United States Navy and that allows to exploit a vulnerability recently exposed in Microsoft Teams. This tool allows potential attackers to efficiently distribute malicious files to specific users within an organization using Teams.
TeamsPhisher works in environments where internal Teams users can communicate with external Teams users (referred to as tenants or tenats).
The tool has the ability to eliminate the need for conventional phishing or social engineering techniques by allowing attackers to send payloads directly to targeted people’s inboxes.
TeamsPhisher is able to trick Microsoft Team’s client-side protections into seeing an external user as internal only by modifying the ID in a message’s POST request. This tool is based on Python is fully automated.
Alex Reid, the Red Team member who developed the tool, noted that to use its development you have to provide TeamsPhisher “with an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender’s Sharepoint and then iterate through the target list.”
TeamsPhisher integrates the attack idea of Jumpsec researchers (who noticed the recent vulnerability last June), the techniques developed by Andrea Santese (on leveraging Microsoft computers for initial access) and the authentication and help functions of Bastian Kanbach’s TeamsEnum tool (allows you to find existing users and their online status).
The tool only works for users with a Microsoft Business account with an authentic Teams and Sharepoint license.
Teams is used by thousands of organizations and has about 280 million users to use this technology as part of Microsoft 365 cloud-based services.
The company has not officially commented on TeamsPhisher. For its part, Jumpsec, who warned of the vulnerability, advises organizations to evaluate the need to allow communication between internal Teams users and external users or tenants and suggest strengthening security controls or eliminating the use of the option altogether, if it is not required regularly.