Security News > 2022 > September > GIFShell attack creates reverse shell using Microsoft Teams GIFs
A new attack technique called 'GIFShell' allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly executing commands to steal data using ... GIFs.
The new attack scenario, shared exclusively with BleepingComputer, illustrates how attackers can string together numerous Microsoft Teams vulnerabilities and flaws to abuse legitimate Microsoft infrastructure to deliver malicious files, commands, and perform exfiltrating data via GIFs.
Bypassing Microsoft Teams security controls allows external users to send attachments to Microsoft Teams users.
The main component of this attack is called 'GIFShell,' which allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft's own infrastructure.
Once the stager is in place, a threat actor would create their own Microsoft Teams tenant and contact other Microsoft Teams users outside of their organization.
As we previously said in our discussion about GIFShell, Microsoft Teams allows Microsoft Teams users to message users in other Tenants by default.
News URL
Related news
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)
- Microsoft Defender will isolate undiscovered endpoints to block attacks (source)
- US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks (source)
- Microsoft is killing Skype today, pushes users to Teams (source)
- New Microsoft 365 outage impacts Teams and other services (source)
- Microsoft Teams will soon block screen capture during meetings (source)