Security News > 2023 > July > Microsoft puts out Outlook fire, says 'everything's fine' with Teams malware flaw

Microsoft is having a rough week with troubles including an Outlook.com bug that prevented some email users from searching their messages for several hours on Thursday, and a Teams flaw that allows people to send phishing emails and malware to other Teams users.
While the Outlook.com bug borking users' email was certainly an annoying inconvenience, perhaps a bigger problem is the Teams weakness.
The shortcoming can be exploited to bypass the chat app's security tools that prohibit external communications with files attached, thus allowing miscreants to send targeted phishing emails and malware to anyone else using Teams.
The two found a weakness in the latest version of Teams that can be exploited to bypass security controls and send files - specifically malware - to any organization that uses Teams.
"Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender's Sharepoint, and then iterate through the list of targets," according to the program's GitHub repository.
It works on Microsoft Business account users - including those who use MFA - who also have a valid Teams and Sharepoint license.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/07/06/microsoft_outlook_teams_flaws/
Related news
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- New Microsoft script updates Windows media with bootkit malware fixes (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Microsoft says attackers use exposed ASP.NET keys to deploy malware (source)
- Windows 10 KB5051974 update force installs new Microsoft Outlook app (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish (source)
- New FinalDraft malware abuses Outlook mail service for stealthy comms (source)
- Microsoft spots XCSSET macOS malware variant used for crypto theft (source)
- Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics (source)