Security News > 2022 > September > Microsoft Teams' GIFShell Attack: What Is It and How You Can Protect Yourself from It

The newly published GIFShell attack method, which occurs through Microsoft Teams, is a perfect example of how threat actors can exploit legitimate features and configurations that haven't been correctly set.
Discovered by Bobby Rauch, the GIFShell attack technique enables bad actors to exploit several Microsoft Teams features to act as a C&C for malware, and exfiltrate data using GIFs without being detected by EDR and other network monitoring tools.
Once the stager is in place, the threat actor creates their own Microsoft Teams tenant and contacts other Microsoft Teams users outside of the organization.
While Rauch claims that indeed "Two additional vulnerabilities discovered in Microsoft Teams, a lack of permission enforcement and attachment spoofing", Microsoft argues, "For this case these all are post exploitation and rely on a target already being compromised." Microsoft is asserting that this technique is using legitimate features from the Teams platform and not something they can mitigate currently.
Disable unmanaged external teams start conversation - Block Teams users in your organization from communicating with external Teams users whose accounts are not managed by an organization.
In cases such as the GifShell attack method, Adaptive Shield's misconfiguration management features enables security teams to continuously assess, monitor, identify and alert for when there is a misconfiguration.
News URL
https://thehackernews.com/2022/09/microsoft-teams-gifshell-attack-what-is.html
Related news
- New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint (source)
- New Microsoft 365 outage impacts Teams, causes call failures (source)
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)
- Microsoft Defender will isolate undiscovered endpoints to block attacks (source)