GIFs in Microsoft Teams do More than Just Annoy
There are some GIFs that are actually funny and that can lighten the mood in boring meetings. Unfortunately, the vast majority of them are just lame and do nothing but catch the eye and distract you.
It seems GIFs in Microsoft Teams may contain more than just the ability to annoy.
Apparently, a new attack vector dubbed ‘GIFShell’ targets Microsoft Teams and can enable bad actors to steal data using GIFs.
No, this isn’t a clever ploy to try to put people off using GIFs so much, this is a genuine, bona fide threat.
The Threat to Microsoft Teams
The guys over at Bleeping Computer have been alerted to an attack vector that uses GIF files to bypass security controls within Microsoft Teams.
It seems like a sophisticated attack. It leverages multiple vulnerabilities within the Microsoft ecosystem to enable delivery of infected GIFs.
From there, the infected file can be downloaded externally rather than through SharePoint and appear just like standard GIFs.
As Microsoft uses insecure URI schemes, the attack can utilize SMB NTLM hash theft or NTLM Relay attacks to steal data.
As the contents of GIFs aren’t scanned, they can contain just about anything. In this case, malicious files designed to harvest data.
It’s a very complicated attack to pull off, but one that is definitely possible.
Microsoft have responded with:
“This type of phishing is important to be aware of and as always, we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. We’ve assessed the techniques reported by this researcher and have determined that the two mentioned do not meet the bar for an urgent security fix. We’re constantly looking at new ways to better resist phishing to help ensure customer security and may take action in a future release to help mitigate this technique.”
For now, very few people are targeting GIFs in Microsoft Teams, but if you were looking for an excuse to ban their use, you now have the perfect opportunity!