Microsoft Teams Is Vulnerable To GIFShell Attacks

Security teams working hard to protect their organisations against vulnerabilities often don't realise that their level of risk is often dependent on the configuration their SaaS applications.

Now, a new attack technique called ‘GIFShell’ allows threat actors to abuse Microsoft Teams for phishing attacks and covertly executing commands to steal data using image files in Graphics Interchange Format, commonly known as GIFs. 

By abusing the legitimate Microsoft infrastructure, an attacker can bypass security controls, make malicious files appear to be  harmless and exfiltrate critical data. 

The exploit has ben named is dubbed “GIFShell,” and the main component is a GIF image that contains a hidden Python script. This crafted image is sent to a Microsoft Teams user to create a reverse shell. To achieve that, the attacker needs the victims to install a “Stager,” which is an executable that will actually execute the commands embedded in the GIF.

GifShell Attack Method

The GIFShell attack technique enables bad actors to exploit several Microsoft Teams features and exfiltrate data using GIFs. without being detected by Endpoint Detection & Response (EDR) and other network monitoring tools.

This attack method requires a device or user that is already compromised. The main component allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft's own infrastructure.    

  • To create this reverse shell, an attacker must first compromise a computer to plant the malware, which means the bad actor needs to convince the user to install a stager malicious  like with phishing, that executes commands and uploads command output via a GIF url to a Microsoft Teams web hook. 
  • Once the stager is in place, the threat actor creates their own Microsoft Teams tenant and contacts other Microsoft Teams users outside of the organisation. 
  • The threat actor can then use a GIFShell Python script to send a message to a Microsoft Teams user that contains a specially crafted GIF. This legitimate GIF image has been modified to include commands to execute on a target's machine.
  • When the target receives the message, the message and the GIF will be stored in Microsoft Team's logs. Important to note: Microsoft Teams runs as a background process, so the GIF does not even need to be opened by the user to receive the attacker's commands to execute.
  • The stager monitors the Teams logs and when it finds a GIF, it extracts and runs the commands.
  • Microsoft's servers will connect back to the attacker's server URL to retrieve the GIF, which is named using the base64 encoded output of the executed command.
  • The GIFShell server running on the attacker's server will receive this request and automatically decode the data allowing the attackers to see the output of the command run on the victim's device.

Microsoft's Response

The respected security analyst Bobby Rauch first discovered the exploit and Microsoft appears to agree that this attack method is a problem. However, Microsoft does not presently consider it to be sufficiently serious to release an urgent security fix, as no security boundaries have been bypassed.  While Rauch claims that "two additional vulnerabilities discovered in Microsoft Teams, a lack of permission enforcement and attachment spoofing", Microsoft is saying that this technique is using legitimate features from the Teams platform and not something they can mitigate currently.  "For this case… these all are post exploitation and rely on a target already being compromised." 

While it seems likely Microsoft will take action in a future software release to mitigate this attack format, this  remains a challenge that many organisations face right now, where there are platform configurations and features that threat actors can exploit if not made secure. 

How to Protect Against the GIFShell Attack

There are security configurations within Microsoft that can be made more secure and help to prevent this type of attack. These include:

Disable External Access:    Microsoft Teams, by default, allows for all external senders to send messages to users within that tenant. Many organisation admins likely are not even aware that their organisation allows for External Teams collaboration. You can harden these configurations:

Disable External Domain Access:    Prevent people in your organisation from finding, calling, chatting, and setting up meetings with people external to your organisation in any domain. While not as seamless of a process as through Teams, this better protects the organisation and is worth the extra effort.

Disable Unmanaged External Teams Start Conversation:   Block Teams users in your organisation from communicating with external Teams users whose accounts are not managed by an organisation. 

Gain Device Inventory Insight:    You can ensure your entire organisation's devices are fully compliant and secure by using your XDR / EDR / Vulnerability Management solution, like Crowdstrike or Tenable. Endpoint security tools are your first line of defence against suspicious activity such as accessing the device's local teams log folder which is used for data exfiltration in GIFShell.

You can even go a step further and integrate an SSPM (SaaS Security Posture Management) solution, like Adaptive Shield, with your endpoint security tools to gain visibility and context to easily see and manage the risks that stem from these types of configurations, your SaaS users, and their associated devices.

How To Automate Protection Against GIFShell Attacks 

There are two methods to combat misconfigurations and harden security settings: manual detection and remediation or an automated SaaS Security Posture Management (SSPM) solution. With the multitudes of configurations, users, devices, and new threats, the manual method is an unsustainable drain on resources, leaving security teams overwhelmed. 

An SSPM solution enables security teams to gain complete control over their SaaS apps and configurations.  

The right SSPM automates and streamlines the process of monitoring, detection and remediation for SaaS misconfigurations, SaaS-to-SaaS access, SaaS related IAM, and Device-to-SaaS user risk in compliance with both industry and company standards. 

In cases such as the GifShell attack method, Adaptive Shield's misconfiguration management features enable security teams to continuously assess, monitor, identify and alert for when there is a misconfiguration. Then they can quickly remediate through the system or use a ticketing system of choice to send the pertinent details for fast remediation.

Microsoft:    Medium:   Medium:    GitHub:    Hacker News:    eSecurity Planet:   Bleeping Computer

Adaptive-Shield

You Might Also Read: 

Beware PowerPoint Files With Hidden Malware:
 

« Security Patching As A Service
Spell-Checking In Google Chrome & Microsoft Edge Browsers Leak Passwords »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

National Information Technology Development Agency (NITDA) - Nigeria

National Information Technology Development Agency (NITDA) - Nigeria

The National Information Technology Development Agency (NITDA) is committed to implementing the Nigerian National Information Technology Policy.

ComCERT

ComCERT

ComCERT SA is an independent, private consulting company focusing in the assistance of its customers facing the dangers of cyber threats and security incidents.

RIA in a Box

RIA in a Box

MyRIACompliance combines our team of RIA compliance experts with an online software platform to help investment advisers better manage regulatory compliance and cybersecurity responsibilities.

Kasada

Kasada

Kasada has developed a radical approach to defeating automated cyberthreats based on its unmatched understanding of the human minds behind them.

CYSEC SA

CYSEC SA

Cysec is equipped to deliver agile security solutions for the most challenging IT infrastructures around the world.

Camel Secure

Camel Secure

Camel Secure is a company specialized in the development of products for information security and technology risk management.

Redhorse

Redhorse

Redhorse provides top-tier consulting to help clients address mission-critical government problems in National Security, Networking Technology, Energy and the Environment.

Graylog

Graylog

Graylog provides answers to your team’s security, application, and IT infrastructure questions by enabling you to combine, enrich, correlate, query, and visualize all your log data in one place.

ENSCO

ENSCO

The ENSCO group of companies provides engineering, science and advanced technology solutions that guarantee mission success, safety and security to governments and private industries worldwide.

Grove Group

Grove Group

Grove provides businesses with the tools that work best for their unique operations, through cybersecurity and cloud services, custom software development and our big data analytics expertise.

Green Radar

Green Radar

Green Radar is a next generation cybersecurity company which combines technologies and services together to deliver Threat Detection for Emails and Deep Threat Analytics and Response.

Sunday Cyber

Sunday Cyber

Sunday is a personal cybersecurity platform, built to protect the world’s top executive teams beyond the enterprise perimeter.

Avocado Consulting

Avocado Consulting

Avocado helps clients deliver with certainty on their complex IT change, with technology services that automate, monitor and optimise.

Obsidian Security

Obsidian Security

Protect your business-critical applications by mitigating threats and reducing risk with Obsidian, the first truly comprehensive security solution for SaaS.

AddSecure

AddSecure

AddSecure is a leading European provider of secure IoT connectivity and end-to-end solutions.

SGS Brightsight

SGS Brightsight

SGS Brightsight is the largest independent security evaluation lab in the world, with ten recognised labs worldwide.