“This unique C2 infrastructure can be leveraged by sophisticated threat actors to avoid detection by EDR and other network monitoring tools. Particularly in secure network environments, where Microsoft Teams might be one of a handful of allowed, trusted hosts and programs, this attack chain can be particularly devastating,” says Raunch. “Two additional vulnerabilities discovered in Microsoft Teams, a lack of permission enforcement and attachment spoofing, allow for the GIFShell stager to be convincingly dropped and executed on the victim’s machine, completing the attack chain from victim compromise to covert communications.” Rauch told Microsoft about the vulnerability in May and then again in June 2022. He says the issues affect Microsoft Teams versions 1.5.00.11163 or earlier. According to the consultant, the flaws remain unpatched since. This means attackers still have the chance to conduct GIFShell attacks on users. It seems Microsoft told Rauch that the vulnerabilities to not meet the company’s “bar of servicing” but did compliment him on “great research”. “Oftentimes, companies and engineering teams make design decisions based on ‘assumed risk,’ whereby a potentially low impact vulnerability is left unpatched or a security feature is disabled by default, in order to achieve some business objective,” Raunch argues. “I believe this research is demonstrative of an instance where a series of design decisions and “assumed risks” made by a product engineering team, can be chained together into a more pernicious attack chain, and a far higher risk exploit than the product designers imagined was possible.”
Microsoft Response
Microsoft spoke to BleepingComputer and gave the outlet basically the same line it gave to Rauch: “This type of phishing is important to be aware of and as always, we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. “We’ve assessed the techniques reported by this researcher and have determined that the two mentioned do not meet the bar for an urgent security fix. We’re constantly looking at new ways to better resist phishing to help ensure customer security and may take action in a future release to help mitigate this technique.” Tip of the day: Is your system drive constantly full and you need to free up space regularly? Try Windows Disk Cleanup in extended mode which goes far beyond the standard procedure. Our tutorial also shows you how to create a desktop shortcut to run this advanced method right from the desktop.
