Security News > 2023 > July > Microsoft puts out Outlook fire, says 'everything's fine' with Teams malware flaw

Microsoft is having a rough week with troubles including an Outlook.com bug that prevented some email users from searching their messages for several hours on Thursday, and a Teams flaw that allows people to send phishing emails and malware to other Teams users.
While the Outlook.com bug borking users' email was certainly an annoying inconvenience, perhaps a bigger problem is the Teams weakness.
The shortcoming can be exploited to bypass the chat app's security tools that prohibit external communications with files attached, thus allowing miscreants to send targeted phishing emails and malware to anyone else using Teams.
The two found a weakness in the latest version of Teams that can be exploited to bypass security controls and send files - specifically malware - to any organization that uses Teams.
"Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender's Sharepoint, and then iterate through the list of targets," according to the program's GitHub repository.
It works on Microsoft Business account users - including those who use MFA - who also have a valid Teams and Sharepoint license.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/07/06/microsoft_outlook_teams_flaws/
Related news
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- Microsoft admits GitHub hosted malware that infected almost a million devices (source)
- Microsoft says button to restore classic Outlook is broken (source)
- Microsoft: New RAT malware used for crypto theft, reconnaissance (source)
- Microsoft Exchange Online outage affects Outlook web users (source)
- Microsoft Trust Signing service abused to code-sign malware (source)
- Microsoft Trusted Signing service abused to code-sign malware (source)
- New Android malware uses Microsoft’s .NET MAUI to evade detection (source)
- Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection (source)
- Microsoft fixes button that restores classic Outlook client (source)