Obscurities with MS Teams part 3
This time we look mostly an the accounts used for phishing.
When phishing via Teams, an attacker controls the source AAD. Therefore, he can set every username he want. This opens some possibilities.
- E-Mail as username
- Suffix the Username to generate some context around warnings from teams (external)
- Unicode spaces, to break the layout and move things out of sight
- Unicode emojis to generate trust
- Unicode characters (Right-To-Left-Override, …) to break things
And furthermore when sending a message, we can provide a lot of HTML tags, generating unnormal looking messages, which might trick users.
Punycode in links is also interpreted, so we can also spoof some URLs with this.
Obscurities with MS Teams part 2 I got some feedback, which motivated me to dig a little bit more in the social engineering possibilities with Teams. And surprise, there are still so many small “features” which can be abused.
Choose a Username
As an attacker controls the attacker AzureAD, it is possible to choose a username as wanted. This provides a lot of interesting possibilities.
If we look at the AAD usermanagement, we see, that there is no real limitation for usernames, besides a maximal length of 256 chars. That’s a lot, so lets start.
Lets dive in.
E-Mail as username
We can choose an email as username, which then is shown to the victim.
NOTE: There are no further warnings or indicators shown beside what is visible on the pictures
Not that bad, but still not good.
Suffix the Username to generate some context around warnings from teams (external)
You might ask, why is the indicator for External users in the same font and size and also inline? I really don’t know.
Unicode spaces, to break the layout and move things out of sight
It is getting better.
🚒 Unicode emojis to generate trust 🚒
Unicode characters (Left-To-Right-Override, …) to break things
There are some additional Unicode characters well known to cause trouble in applications if interpreted. The most famous should be the “Right-to-Left Override” (RLO) character :
If we add such a character in the username some stuff is breaking.
It might be possible to abuse this behaviour somehow, but I did not come up with a good vector, as
(lanretxE) is not a very senseful word.
Sending a formatted message
If we look at the HTTP Requests for a message, we see that various HTML elements are allowed. This allows crafting of some untypical looking messages. And if something is special / untypical it must be reserved for administrators!
In this case by adding three
<divs> we can craft a some table like layout. The verification Icon is included as base64 data.
Okay, so a secure, “verified”
firstname.lastname@example.org account, moving some indicators out of view and sending a verified message? Nice.
PS: It might of course possible to craft an even more plausible scenario and better looking layout, but TEAMS BLUE was good enough for demonstration.
Chaining it and spice it up
So we can send a HTML formatted message to the victim and as we need some group chat anyway to circumvent some warning screen, we can just add another controlled user to verify that the update was working great.
Bonus: Punycode URLs
If we send some punycode URLs, Teams is not resolving them to the
Microsoft made some improvements for Teams, specially in case of security. However it is still not plausible to me, why the remaining attack surface is still so big and a lot of tampering is possible. I am quite sure, that there are some more ambitious ways to get an even better chain for phishing.
Countermeasures and indicators
- Turn off external collaboration for unknown domains / tenants.
- Hoovering an user account shows the E-Mail / the tenant. But keep in mind, that normal spoofing techniques still apply here. So maybe a new .zip, .eu domain or some Uppercase
- Showing Profile Pictures seems to be restricted to one tenant
Work and inspiration from others: