Microsoft Teams bug allowing unpatched phishing since March

Microsoft Teams security vulnerabilities not fixed since March

Microsoft has said it will not fix or delay fixes for several security vulnerabilities affecting the Microsoft team’s link preview feature reported since March 2021.

Fabian Bräunlein, co-founder of German IT security consultancy Fabian Bräunlein, discovered four vulnerabilities leading to server-side request forgery (SSRF), URL preview spoofing, email leakage IP address (Android) and denial of service (DoS) nicknamed Message of Death (Android).

Bräunlein reported the four vulnerabilities to the Microsoft Security Response Center (MSRC), which is investigating vulnerability reports for Microsoft products and services.

“The vulnerabilities allow access to internal Microsoft services, spoof the link preview and, for Android users, disclose their IP address and make DoS their Teams app / channels” the researcher said.

Of the four vulnerabilities, Microsoft only addressed the one that attackers could use to gain access to targets’ IP addresses if they were using Android devices.

Regarding other bugs, Microsoft has stated that it will not fix SSRF in the current release, while a fix for DoS will be considered in a future release.

Bug exposing users to uncorrected phishing

The URL spoofing bug that malicious actors could use for phishing attacks or to camouflage malicious links has been reported to be safe for Teams users.

“MSRC investigated this issue and concluded that it is not an immediate threat requiring urgent attention, as once the user clicks on the URL, they should navigate to this malicious URL, which would indicate that this is not that the user expected, ”Microsoft said.

“Although the vulnerabilities discovered have a limited impact, it is surprising both that such simple attack vectors have apparently not been tested before and that Microsoft does not have the will or the resources to protect them. users, ”the researchers added.

Video: Positive security

Part of the reason for the company’s decision not to address the spoofing bug that could be abused in phishing campaigns is that Teams also uses Defender for Office 365 Safe Links protection to protect users. users against URL-based phishing attacks since July.

While Safe Links Protection is available to all Teams users and works for shared links between conversations, group chats, and Teams channels, it should always be enabled by setting up a Safe Links policy in the Microsoft 365 Defender Portal.


Please enter your comment!
Please enter your name here

Trending this Week