A technique has been discovered by security researchers that enables the delivery of malware through Microsoft Teams, bypassing the file restrictions from external sources. This attack takes advantage of the default configuration of Microsoft Teams, which allows communication with external tenant accounts. By manipulating the recipient ID in a message’s POST request, the researchers were able to deceive the system into treating an external user as an internal one. This manipulation grants the attackers the ability to directly deliver a malicious payload to the target’s inbox. As a result, the attack manages to evade client-side protections and appears as a legitimate file within the target organization, significantly increasing the likelihood of the file being downloaded. Despite being informed about the flaw, Microsoft has not classified it as urgent and has not provided a timeline for resolving the issue. To mitigate the associated risk, organizations are strongly advised to either disable external access in the Microsoft Teams Admin Center or implement specific domain restrictions by using an allow-list.

Relevant URL: https://www.bleepingcomputer.com/news/security/microsoft-teams-bug-allows-malware-delivery-from-external-accounts/