Security News > 2023 > July > Microsoft puts out Outlook fire, says 'everything's fine' with Teams malware flaw

Microsoft is having a rough week with troubles including an Outlook.com bug that prevented some email users from searching their messages for several hours on Thursday, and a Teams flaw that allows people to send phishing emails and malware to other Teams users.

While the Outlook.com bug borking users' email was certainly an annoying inconvenience, perhaps a bigger problem is the Teams weakness.

The shortcoming can be exploited to bypass the chat app's security tools that prohibit external communications with files attached, thus allowing miscreants to send targeted phishing emails and malware to anyone else using Teams.

The two found a weakness in the latest version of Teams that can be exploited to bypass security controls and send files - specifically malware - to any organization that uses Teams.

"Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender's Sharepoint, and then iterate through the list of targets," according to the program's GitHub repository.

It works on Microsoft Business account users - including those who use MFA - who also have a valid Teams and Sharepoint license.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/07/06/microsoft_outlook_teams_flaws/