Teams external participant splash screen bypass
Today I was preparing some demonstration on Teams phishing and was baffled, as Microsoft finaly after almost 2 years fixed an important vector.
The group chat now also shows a big splash screen warning the user about the risk of an external participant writing.
The splash screen can be bypassed in at least one simple way (and I bet there are more).
- Create a full-day meeting
- Invite the external “victim”
- Write the participants
After seeing the splash screen for the first time, I was quite baffled and thought finally MS fixed it. On a first glance this looked also solid.
But after playing a little bit around with it, there was a gap in the meeting part of teams and the meetings chat is lacking this kind of protection.
This can be abused, without the participant accepting the meeting
The vector is as follows:
Invite the external “victim” as participant
Congrats, you bypassed a security protection.
If you look closely at the screenshots, you will also see that unicode characters are still not getting filtered in usernames and also tamper with the layout.
1: Unicode Characters like locks and checkmarks might create a sense of trust
2: A lot of whitespace chars generate line breaks and move things apart
3: Teams Blue anyone? Only 25$ per month + E5 needed.
4: The “External” flag for Account-Migration is moved out of sight via whitespaces
PS: If you think I leaked the “GaulishVillage.com” domain, yeah, this is also spoofed :)
Remember that even Microsoft had a quite lax policy regarding external collaboration, as I allready stated here. https://twitter.com/pfiatde/status/1686339326773252096
Phishing via Teams is hot since almost two years now. Microsoft took such a long time to decrease the risk of a quite trivial issue and now it was quite easy to bypass.
I also reported this to MSRC, but I really do not expect a fix within the nearer future, so be aware.