Teams external participant splash screen bypass #2

Finally after several months and a “very smooth communication”, meaning 4 month of nothing from Microsoft, they patched the External Participant Bypass via Meeting invitations. As this was always a great vector for spearfishing during RedTeaming assesments, I clicked a little bit around in Teams and Mild shock this is not bulletproof.

tl;dr

The splash screen can be bypassed again in at least one simple way (and I still bet there are more). There is a caveat as this will not enable chatting with the user, only one-way communication.

  • Create a group chat
  • Invite the external “victim”
  • Write your message
  • Splash screen will be shown to the user
  • Remove the user from participants
  • Splash screen will also be removed

The splash screen will be bypassed. Victim View: Bypassing the Splashscreen

Details

  • Create a group chat

  • Invite the external “victim” Attacker View: Invite the victim(s)

Bonus

You can also rename the groupchat to whatever you want. So why not a nice email adress like AccountServices@victim.org. Attacker View: Change the chat description

  • Write your message

  • Splash screen will be shown to the user Victim View: Splashscreen shown

  • Remove the user from participants Attacker View: Remove the User

  • Splash screen will also be removed Victim View: Bypassing the Splashscreen

There is a limitation, as the victim can not reply to us. We can still send new messages, by adding them and removing again but the limitation keeps. This must be considered in the phishing context.

Bonus

This is also working with files

Victim View: File “received”, basically it’s just a sharepoint link

PoC

Here a small PoC from the victim view. We can of course do all the actions quick by just replaying stuff to the API, so the user will only see the final result, meaning a message where he can not answer.

Quick Walkthrough, victim view

Conclusion

And again there is a (partly) bypass of the splash screen. Imho disabling the “external collaboration” or at least limit it to trusted domains is still the best option.

Check your settings

Links