GIFShell: Microsoft Teams attack uses GIFs to open reverse shells

The popular communications platform Microsoft Teams was targeted in a new attack method that uses GIFs to open reverse shells. This novel approach can be used by attackers to utilize weaknesses in Microsoft’s infrastructure to deliver malicious payloads, modify files, and steal data, reports BleepingComputer.

The Graphical Interface Format (GIF) can be an entertaining and sometimes thought provoking way of spreading ideas, videos or animation. Shared throughout the internet, this controversially pronounced format can be dangerous in nefarious hands. This new technique called GIFShell can bypass Microsoft security measures to execute commands, modify attachments and even exfiltrate data.

THE ATTACK

This new attack vector was discovered by Bobby Rauch, a cybersecurity researcher and penetration tester. Published on his Medium page, Rauch demonstrates how “GIFShell” chains together several Micosoft Teams vulnerabilities to execute this attack. To hide their tracks, attackers utilize Microsoft’s own servers to deliver payloads and move data.

Rauch points out that many organizations are unaware that Microsoft Teams allows external Teams collaboration, allowing communication between attacker and victim tenants. This allows an avenue for an initial stager payload to be delivered to the victim. The stager then scans for base64 encoded GIFs that contain embeded malicious code. These modified GIFs are then decoded by the GIFShell stager to commands that can be executed on the victim machine.

REMEDIATION

Rauch suggests organizations turn of the default settings that allow external access in the Microsoft Teams Admin Center.