Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

Microsoft Teams Default Settings Allows Malware

What Happened?

Security researchers have discovered a vulnerability in Microsoft Teams that allows for the delivery of malware to organizations, even with restrictions in place for external file sources. Microsoft Teams, with its large user base of 280 million monthly active users, is widely used as a communication and collaboration platform by organizations.

Max Corbridge and Tom Ellson from security services company Jumpsec identified a method to deliver malware using Microsoft Teams from an account outside the target organization.

Impact on Organizations

The attack takes advantage of Microsoft Teams’ default configuration, which allows communication with external tenant accounts. By manipulating the internal and external recipient ID in a message’s POST request, the researchers were able to trick the system into treating an external user as an internal one. This method circumvents client-side protections that block file delivery from external tenant accounts. As a result, attackers can send a malicious payload directly to a target inbox, posing a significant threat to organizations using Microsoft Teams with default settings.

Objectives of the Hackers

The discovered attack bypasses existing security measures and anti-phishing training, providing attackers with a relatively simple way to infect organizations. By registering a domain similar to the target organization’s on Microsoft 365, attackers can make their messages appear as if they originate from within the organization. This technique increases the likelihood of the target downloading the file and falling victim to the attack. The primary objective of the hackers is to deliver a command and control payload covertly, exploiting the flaw in Microsoft Teams’ file delivery mechanism.

Microsoft’s Response and Recommendations

The researchers promptly reported their findings to Microsoft, expecting an urgent response. However, Microsoft acknowledged the flaw but stated that it did not meet the criteria for immediate addressing, indicating that they do not view it as a critical issue requiring immediate attention.

Organizations using Microsoft Teams are advised to disable the feature for communication with external tenants if not necessary. Alternatively, specific domains can be defined in an allow-list to reduce the risk of exploitation. The researchers have also requested Microsoft to add external tenant-related events to the software’s logging, which could aid in preventing such attacks in the future.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.