Teams external participant splash screen bypass

Teams external participant splash screen bypass

Today I was preparing some demonstration on Teams phishing and was baffled, as Microsoft finaly after almost 2 years fixed an important vector.

The group chat now also shows a big splash screen warning the user about the risk of an external participant writing.

The new splash screen, with a good warning message

tl;dr

The splash screen can be bypassed in at least one simple way (and I bet there are more).

• Create a full-day meeting
• Invite the external “victim”
• Write the participants
• Done

The splash screen will be bypassed. Victim view: Bypass the splash screen

Details

After seeing the splash screen for the first time, I was quite baffled and thought finally MS fixed it. On a first glance this looked also solid.

But after playing a little bit around with it, there was a gap in the meeting part of teams and the meetings chat is lacking this kind of protection.

This can be abused, without the participant accepting the meeting

The vector is as follows:

• Create a new meeting Create a full-day meeting

• Invite the external “victim” as participant

• Ensure that the meeting chat is on Check the settings for the meeting

• Initiate the group chat with the meeting participants Start the group chat

Congrats, you bypassed a security protection.

Victim view: Bypass the splash screen

There is some space for improvements

Bonus

If you look closely at the screenshots, you will also see that unicode characters are still not getting filtered in usernames and also tamper with the layout.

Tampered layout

1: Unicode Characters like locks and checkmarks might create a sense of trust

2: A lot of whitespace chars generate line breaks and move things apart

3: Teams Blue anyone? Only 25$ per month + E5 needed.

4: The “External” flag for Account-Migration is moved out of sight via whitespaces

PS: If you think I leaked the “GaulishVillage.com” domain, yeah, this is also spoofed :)

Bonus Bonus

Remember that even Microsoft had a quite lax policy regarding external collaboration, as I allready stated here. https://twitter.com/pfiatde/status/1686339326773252096

External collaboration enabled for Microsoft

Conclusion

Phishing via Teams is hot since almost two years now. Microsoft took such a long time to decrease the risk of a quite trivial issue and now it was quite easy to bypass.

I also reported this to MSRC, but I really do not expect a fix within the nearer future, so be aware.

Check your settings

Links

• https://badoption.eu/blog/2023/02/12/S4B_Teams.html

• https://badoption.eu/blog/2023/06/22/teams2.html

• https://badoption.eu/blog/2023/06/30/teams3.html