Cybersecurity consultant Bobby Rauch has discovered a new attack tactic in which threat actors exploit Microsoft Teams vulnerabilities. According to Rauch, attackers can easily leverage Microsoft Teams GIFs through these vulnerabilities to launch phishing, command execution, and data filtration schemes.
What is GIFShell?
Rauch has named the newly discovered attack technique involving MS Teams GIFs as GIFShell. The technique allows attackers to create a reverse shell to facilitate malicious command delivery via base64-encoded GIFs in MS Teams.
Using a malicious stager executable, the attackers can establish their dedicated MS Teams tenant and start the attack using the GIFShell Python script.
GIFShell installs malware on the device and can sneakily extract data under the guise of harmless GIF images. Rauch noted that the attack entails the exploitation of multiple vulnerabilities in MS Teams to create a chain of command executions.
Furthermore, attackers only need to infiltrate MS Teams and any of the GIFs. Utilizing Microsoft’s web infrastructure, they can unpack commands and install them directly on computers.
- Hackers are using Microsoft Teams chat to spread malware
- Microsoft Office Most Exploited Software in Malware Attacks – Report
- Hacker disrupts Emotet botnet operation by replacing payload with GIFs
- Malware spread through images taken by James Webb Space Telescope
- Fake Zoom meeting invitation phishing scam harvests Microsoft credentials
In a blog post, Rauch stated that he notified Microsoft in May 2022. However, Microsoft claims that immediately releasing fixes for the attack is impossible. Moreover, the tech giant stated that the attack techniques “reported” by Rauch don’t meet the requisites for developing an urgent security fix.
“We’re constantly looking at new ways to better resist phishing to help ensure customer security and may take action in a future release to help mitigate this technique.”
Therefore, the best line of defense for you is not to open any GIFs shared by someone on MS Teams.
- Microsoft bars Tutanota users from registering MS Teams accounts
- Google, Microsoft and Oracle generated most vulnerabilities in 2021
- Researchers Warn of New Microsoft Office 0-Day Vulnerability “Follina”
- Nitrokod Crypto Miner Hiding in Fake Microsoft and Google Translate Apps
- What Are the Top 10 Android Educational Apps That Collect Most User Data?