This New Zero-Click Cross-platform Flaw in Microsoft Teams Could Spread Like a Worm

The users of Microsoft Team, the business communication platform by Microsoft, have one more thing to worry about. Recently, a security researcher from Evolution Gaming has published details about a wormable, cross-platform vulnerability in Microsoft Teams.


The impact of the vulnerability

The bug was reported to Microsoft on August 31, for which Microsoft had released updates at the end of October.
  • It was found that the Remote Code Execution (RCE) vulnerability can be triggered by a novel Cross-Site Scripting (XSS) injection in teams.microsoft[.]com, which impacts MS Teams desktop application across all supported platforms - Windows (version 1.3.00.21759), macOS (version 1.3.00.23764), and Linux (1.3.00.16851).
  • In addition, the attacker could exploit the XSS flaw to obtain SSO authorization tokens for Microsoft Teams or its other services such as Skype, Outlook, and Office365, without gaining arbitrary code execution.
  • Successful exploitation could allow attackers to access private chats, files, and internal networks, along with private keys and personal data from outside MS Teams.


Microsoft Team on cybercriminals’ hitlist

  • In November, ransomware operators were using fake Microsoft Teams update ads to infect systems with backdoors that deployed Cobalt Strike to compromise the rest of the network.
  • In October, hackers were seen impersonating an automated message from Microsoft Teams in an attempt to steal the recipient’s login credentials.


Closing statements

Knowing the popularity of communication tools, attackers are eager to take advantage of such wormable vulnerabilities. Therefore, experts recommend an immediate update of Microsoft Teams with the patches released by Microsoft in October.