Microsoft Teams vulnerability could let attackers hijack user accounts.
Researchers found two Microsoft subdomains that were open to subdomain takeover vulnerability. Subdomain takeover is a process of registering a non-existing domain name to gain control over another domain. The subdomains were aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com. When a user viewed an image that was sent from these compromised subdomains their account forwards the “authtoken”, which inadvertently gives the attacker the ability to create the “Skypetoken”. Exploitation of the vulnerability would have involved sending the victims a malicious GIF file.
The Impact of this vulnerability could have been severe. An Attacker could access all the data from the victim’s organization Teams accounts and gather sensitive information.
The vulnerability affected every Microsoft Teams version for desktop and web browser. Findings were disclosed to Microsoft on March 23rd.
Misconfigured DNS records were corrected on the same day and Microsoft issued a patch for Teams on April 20th. According to Microsoft, there are no indications that the leak has been actively exploited.
Read more: docs.microsoft.com/en-us/microsoftteams/known-issues
Contact LIFARS immediately if your organization was attacked