Microsoft puts out Outlook fire, says everything's fine with Teams malware flaw

Microsoft is having a rough week with troubles including an Outlook.com bug that prevented some email users from searching their messages for several hours on Thursday, and a Teams flaw that allows people to send phishing emails and malware to other Teams users.

The Outlook.com issue, which began today and was fixed around 1130 PT (1830 UTC), returned this error message to those trying to search using keywords: "Sorry, something went wrong. Please try again later."

Prior to fixing, Redmond confirmed the email gremlim on its service status portal, and in its second update of the day explained the glitch thus:

And while the Outlook.com bug borking users' email was certainly an annoying inconvenience, perhaps a bigger problem is the Teams weakness. 

This one is due to a default configuration in the collaboration software that infosec folks spotted. The shortcoming can be exploited to bypass the chat app's security tools that prohibit external communications with files attached, thus allowing miscreants to send targeted phishing emails and malware to anyone else using Teams.

The Windows giant told The Register it won't be fixing this flaw.

"We're aware of this report and have determined that it relies on social engineering to be successful," a Microsoft spokesperson said. "We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers." 

Developed by a US Army red teamer called Octoberfest7, TeamsPhisher is a Python-based automated attack that lets users send phishing messages with malicious attachments to external Teams users. 

It builds on earlier work including research published by Jumpsec red teamers Max Corbridge and Tom Ellson last month. The two found a weakness in the latest version of Teams that can be exploited to bypass security controls and send files — specifically malware — to any organization that uses Teams.

"Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender's Sharepoint, and then iterate through the list of targets," according to the program's GitHub repository.

It works on Microsoft Business account users — including those who use MFA — who also have a valid Teams and Sharepoint license. Additionally, the tool will identify accounts that can't receive messages from external organizations, as well as accounts that do not exist or have a subscription plan that is not compatible with the attack.

• Microsoft puts profanity filter on %@!#ing Teams transcripts
• Microsoft drops out of top three for UK software and IT services
• You've patched right? '340K+ Fortinet firewalls' wide open to critical security bug
• June Patch Tuesday: VMware vuln under attack by Chinese spies, Microsoft kinda meh

After selecting a target, TeamsPhisher uploads a file to the sending account's Sharepoint and shares the link via Teams.

It also gives would-be phishers the option of selecting the securelink switch, which prompts the targeted victim to authenticate before viewing the attachment in Sharepoint.

"You can decide if this adds too many extra steps, or if it adds 'legitimacy' by sending them through real Microsoft login functionality," the docs for TeamsPhisher read.

Organizations can ensure their employees don't fall victim to TeamsPhisher by managing external access permissions, which could include placing a universal block or only allowing trusted external communications.

And, Octoberfest7 says he'll be out of the military in about a year, and looking for a new job: "Keep me in mind." ®