Security News > 2022 > September > Microsoft Teams' GIFShell Attack: What Is It and How You Can Protect Yourself from It

The newly published GIFShell attack method, which occurs through Microsoft Teams, is a perfect example of how threat actors can exploit legitimate features and configurations that haven't been correctly set.
Discovered by Bobby Rauch, the GIFShell attack technique enables bad actors to exploit several Microsoft Teams features to act as a C&C for malware, and exfiltrate data using GIFs without being detected by EDR and other network monitoring tools.
Once the stager is in place, the threat actor creates their own Microsoft Teams tenant and contacts other Microsoft Teams users outside of the organization.
While Rauch claims that indeed "Two additional vulnerabilities discovered in Microsoft Teams, a lack of permission enforcement and attachment spoofing", Microsoft argues, "For this case these all are post exploitation and rely on a target already being compromised." Microsoft is asserting that this technique is using legitimate features from the Teams platform and not something they can mitigate currently.
Disable unmanaged external teams start conversation - Block Teams users in your organization from communicating with external Teams users whose accounts are not managed by an organization.
In cases such as the GifShell attack method, Adaptive Shield's misconfiguration management features enables security teams to continuously assess, monitor, identify and alert for when there is a misconfiguration.
News URL
https://thehackernews.com/2022/09/microsoft-teams-gifshell-attack-what-is.html
Related news
- CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Microsoft Identifies 3,000 Leaked ASP.NET Keys Enabling Code Injection Attacks (source)
- Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries (source)
- If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
- Botnet targets Basic Auth in Microsoft 365 password spray attacks (source)
- New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint (source)