Teams external participant splash screen bypass #2
Finally after several months and a “very smooth communication”, meaning 4 month of nothing from Microsoft, they patched the External Participant Bypass via Meeting invitations. As this was always a great vector for spearfishing during RedTeaming assesments, I clicked a little bit around in Teams and Mild shock this is not bulletproof.
The splash screen can be bypassed again in at least one simple way (and I still bet there are more). There is a caveat as this will not enable chatting with the user, only one-way communication.
- Create a group chat
- Invite the external “victim”
- Write your message
- Splash screen will be shown to the user
- Remove the user from participants
- Splash screen will also be removed
Write your message
There is a limitation, as the victim can not reply to us. We can still send new messages, by adding them and removing again but the limitation keeps. This must be considered in the phishing context.
This is also working with files
Here a small PoC from the victim view. We can of course do all the actions quick by just replaying stuff to the API, so the user will only see the final result, meaning a message where he can not answer.
Quick Walkthrough, victim view
And again there is a (partly) bypass of the splash screen. Imho disabling the “external collaboration” or at least limit it to trusted domains is still the best option.