Vulnerability Reported in Microsoft Teams

A critical vulnerability affecting Microsoft^® Teams^® has been reported. The vulnerability involves attackers sending a specially crafted chat message to Teams users. Once viewed by users, the message executes its payload, enabling malicious access to user chats, private keys, files, networks, and personal information.

The offending messages appear harmless often containing an @username mention, either in direct messages or posts to a channel. Once viewed, the message captures the recipient’s sign-on information and enables remote code execution on the user’s machine.

The vulnerability is characterized as a zero-click, cross platform, wormable, remote code execution (RCE). Users do not have to interact with the code for it to execute; simply viewing the message is enough. The Teams vulnerability can be exploited across various operating systems, including Windows, Linux, MacOS, and internet versions of the application. The exploit can be transmitted by reposting, such that it can be moved across accounts and infect entire channels. The exploit enables attackers to execute their own commands on user systems remotely.

The vulnerability was first reported to Microsoft in August. Microsoft has updated this (and other) vulnerabilities in its latest patch delivery.

ACA Guidance

The discovered vulnerability indicates the extreme importance of enforcing patch updating for critical applications. In this case, merely viewing a seemingly innocuous @mention in Teams could lead to exfiltration of significant company and personal data. Further, the “no user action required” nature of this vulnerability reinforces the need to ensure that all Office365^® applications have configurations in place to maximize security by default.

ACA Aponix recommends taking the following actions regarding the discovered Teams vulnerability:

• Urgently apply the latest Microsoft patches to all systems across the organization
• If not already in place, consider implementing a company-wide, enforced, and automated patching policy
• Provide further protection against a similar exploit of “domain name services cache poisoning caused by IP fragmentation.” Workaround instructions have been provided by Microsoft here.
• Assess Office365 configuration, to ensure that maximum protection is afforded against this and other potential vulnerabilities
• Monitor system logs and other security resources for unusual activity
• Assure that data backup and related resiliency plans are up-to-date and functional
• Review and update existing incident response plans to prepare reaction in the event of a breach
• Strongly encourage third-party vendors to apply this and other patch updates as part of a larger vendor oversight program

How We Help

ACA Aponix offers the following solutions that can help your firm in light of the discovered vulnerability, software patching programming, Office365 security configuration, and with data security in general.

• Microsoft^® Office 365^® security assessment
• Cybersecurity and technology risk assessments
• Penetration testing and vulnerability assessments
• Threat intelligence
• Cyber incident response planning
• Policies, procedures and governance
• Phishing testing and cyber awareness
• Mock regulatory cyber exams

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.

Contact Us