What if a seemingly harmless animated GIF image suddenly snatches your Microsoft Teams account and other sensitive information stored within? What if using the same image that you inadvertently open, the attacker can take over your business and even attack other accounts to which your account is connected? This apparently unbelievable case of internet hacking has actually occurred and—fortunately—successfully intercepted and neutralized by Microsoft in collaboration with CyberArk, the team of researchers that discovered it.
The Vulnerable Data
Full disclosure of the attack is revealed by CyberArk security researchers on March 23, 2020. The attack comes out in the form of a subdomain takeover whereby Microsoft Teams users who can be forced to send a token (cookies) to the compromised subdomains may render their confidential data vulnerable to stealing and hacking. These data may include passwords, private information, calendar reminders and scheduled meetings, business plans, business competition information, and other confidential data.
Subdomain Takeover Attack
This attack stems from Microsoft’s method in managing the sharing of data across different Microsoft Teams platforms and servers. Whenever users access their Microsoft Teams account and open an application, the platform will create a temporary access token and authenticate it. Supported services, such as Microsoft Outlook and SharePoint, will also create similar tokens.
Every content that is shared on the platform is protected by permission restriction so that only eligible parties can access it. Microsoft restricts its permission by using two cookies, “authtoken” and “skypetoken_asm.” The Skype token is then sent to Microsoft Teams’ website and its subdomains. Two subdomains, i.e. addsync-test.teams.microsoft.com and data-dev.teams.microsoft.com, are proven to be vulnerable to subdomain takeover attack.
The domino effect commences when the subdomains are taken over by an attacker. The automatically generated authtoken will be sent to the compromised subdomains. The attacker, who has received the authtoken, can generate a skype token that they can use to sneak into the victim’s Microsoft Teams account and to steal every piece of vulnerable information. With the acquired authtoken, the attacker can also perform various administrative tasks within the victim’s Microsoft Teams account, including reading and sending messages, create new groups, add new users and remove users from groups, and alter groups’ permissions.
In short, with the automatically generated authtoken, the attacker can practically take over the victim’s Microsoft Teams account and all the functions and data within.
How Does the Attack Occur?
The attack starts with the attacker sending a malicious GIF image to a victim through the latter’s Microsoft Teams platform. This is done after the attacker successfully takes over the vulnerable Microsoft Teams’ subdomains. The victim will less likely be suspicious about the received image because it is sent from within the platform after the subdomain takeover completes. The authtoken is generated and sent to the compromised subdomains when the victim opens the image and right before the image loads on the browser.
The victim only needs to open the attached image for the attack to succeed!
What If There Is Nothing to Steal?
Even if the attacker finds nothing of value when successfully sneaking into the victim’s Microsoft Teams account, the attack can still be dangerous for other accounts that happen to be connected to the victim’s account. The attack will navigate across different accounts like a worm and do more serious damages that can be beyond repair.
If the victim’s account is connected to a company account, the attacker can exploit this vulnerability to spread false information, to give fake instruction from the company’s authorities to the employees, and to do malicious actions that may lead to financial problems, data stealing, and business collapse.
Why Does the Attack Matter, Especially Today?
Microsoft Teams has long become a collaborative platform for both individuals and companies. Any undetected vulnerabilities on this platform will certainly become dangerous risks for all users. These risks are serious now and ever, so why it becomes even more serious today?
Companies are forcing their staff to work from home as Covid 19 strikes. When virtually everyone works at home, online collaborative platforms like Microsoft Teams become the primary hubs for various business interactions, transactions, and competitions. Attacks that occur there can lead to truly grave situations when the world’s economy practically runs on such platforms.
CyberArk security researchers reported their findings to Microsoft after discovering it on March 23. They subsequently worked with Microsoft Security Research Center to take the necessary measures to mitigate the potential attack. Microsoft immediately removed the misconfigured DNS as a part of the mitigation effort and released a patch to deal with the newly discovered vulnerability.