Comments on: Stop GIFShell Attack by Modifying Teams External Access https://practical365.com/stop-teams-gifshell-attack/ Practical Office 365 News, Tips, and Tutorials Tue, 28 Feb 2023 12:35:37 +0000 hourly 1 https://wordpress.org/?v=6.3.2 By: Andrew T https://practical365.com/stop-teams-gifshell-attack/#comment-243051 Fri, 16 Sep 2022 15:33:27 +0000 https://practical365.com/?p=57176#comment-243051 In reply to Christian.

I agree, there are lots of issues with the original article. It seems to be designed for clickbait rather than educate people about security issues.

The main exploit they are demoing is the remote control though teams, but you already of had to of compromised the victim’s computer to install malicious software to read out of the Teams directory. If I’m an attacker and I’ve already done that… Why would I want use Teams to exfiltrate the data out when I could use one of the other countless methods like DNS, HTTPS, etc. Which are much less likely to be logged.

I still agree with Tony that tenants should adopt a whitelist approach for allowing external messaging

]]>
By: Tony Redmond https://practical365.com/stop-teams-gifshell-attack/#comment-243015 Thu, 15 Sep 2022 12:15:55 +0000 https://practical365.com/?p=57176#comment-243015 In reply to Paul.

Paul, try this: https://practical365.com/teams-external-access-powershell/

]]>
By: Tony Redmond https://practical365.com/stop-teams-gifshell-attack/#comment-242927 Tue, 13 Sep 2022 16:51:12 +0000 https://practical365.com/?p=57176#comment-242927 In reply to Paul.

One way is to scan for guest accounts in the tenant and examine their domains to build a list of domains to use.

]]>
By: Paul https://practical365.com/stop-teams-gifshell-attack/#comment-242917 Tue, 13 Sep 2022 14:13:41 +0000 https://practical365.com/?p=57176#comment-242917 Do you know if there is a way to audit which external domains are already in contact with internal staff? It would be good if I could obtain a list of those external domains so I can add them to the allowed list as soon as I turn on ‘Allow only specific domains’. I dont want to turn it on to have a flurry of emails/complaints that staff cant talk to certain externals. Thanks in advance!

]]>
By: Christian https://practical365.com/stop-teams-gifshell-attack/#comment-242766 Fri, 09 Sep 2022 21:32:45 +0000 https://practical365.com/?p=57176#comment-242766 It’s been said everyday is a school day ๐Ÿ™‚ Never looked at the .ldb files. Thanks for sharing those links!

]]>
By: Tony Redmond https://practical365.com/stop-teams-gifshell-attack/#comment-242763 Fri, 09 Sep 2022 20:32:21 +0000 https://practical365.com/?p=57176#comment-242763 In reply to Stephane.

That’s a real Friday evening publishing error… Fixed now!

]]>
By: Stephane https://practical365.com/stop-teams-gifshell-attack/#comment-242762 Fri, 09 Sep 2022 20:28:46 +0000 https://practical365.com/?p=57176#comment-242762 Hey @Tony….. Think you left out a keyword that implies so much context, I was wondering what u meant by 270 users until I clicked on the link, the million part is missing ๐Ÿ™‚

“Given the size of the Teams installed base (the last reported number was 270 (million) monthly active users), itโ€™s no mystery why attackers might consider Teams a nice target”

]]>
By: Tony Redmond https://practical365.com/stop-teams-gifshell-attack/#comment-242761 Fri, 09 Sep 2022 19:58:37 +0000 https://practical365.com/?p=57176#comment-242761 In reply to Tony Redmond.

Or (free) https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-and-skype-logging-privacy-issue/

]]>
By: Tony Redmond https://practical365.com/stop-teams-gifshell-attack/#comment-242760 Fri, 09 Sep 2022 19:57:33 +0000 https://practical365.com/?p=57176#comment-242760 In reply to Christian.

For anyone wanting to get acquainted with what’s in the Teams local cache: https://onlinelibrary.wiley.com/doi/10.1111/1556-4029.15014?af=R

]]>
By: Christian https://practical365.com/stop-teams-gifshell-attack/#comment-242759 Fri, 09 Sep 2022 18:56:40 +0000 https://practical365.com/?p=57176#comment-242759 Thanks for the reply Tony. I’ve never seen any clear text message data in the cache so had to ask.

]]>