Microsoft’s Teams collaboration platform contains a vulnerability that can be exploited with a malicious GIF enabling an attacker to take over a company’s Teams accounts.
The issue resides in two Teams sub-domains that were vulnerable to takeover, aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com, said Cyberark researchers. Once taken over the attacker can use the sub-domain to obtain a legitimate certificate eventually allowing the threat actor to have access to a company’s Teams account base, scrape data or take over accounts.
“If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim’s browser will send this cookie to the attacker’s server and the attacker (after receiving the authtoken) can create a skype token. After doing all of this, the attacker can steal the victim’s Teams account data,” the researchers said.
Cyberark notified Microsoft of the issue and a patch has been issued