Comments on: Stop GIFShell Attack by Modifying Teams External Access

By: Andrew T

Andrew T — Fri, 16 Sep 2022 15:33:27 +0000

I agree, there are lots of issues with the original article. It seems to be designed for clickbait rather than educate people about security issues.

The main exploit they are demoing is the remote control though teams, but you already of had to of compromised the victim’s computer to install malicious software to read out of the Teams directory. If I’m an attacker and I’ve already done that… Why would I want use Teams to exfiltrate the data out when I could use one of the other countless methods like DNS, HTTPS, etc. Which are much less likely to be logged.

I still agree with Tony that tenants should adopt a whitelist approach for allowing external messaging

By: Tony Redmond

Tony Redmond — Thu, 15 Sep 2022 12:15:55 +0000

In reply to Paul.

Paul, try this: https://practical365.com/teams-external-access-powershell/

By: Tony Redmond

Tony Redmond — Tue, 13 Sep 2022 16:51:12 +0000

In reply to Paul. One way is to scan for guest accounts in the tenant and examine their domains to build a list of domains to use.

By: Paul

Paul — Tue, 13 Sep 2022 14:13:41 +0000

Do you know if there is a way to audit which external domains are already in contact with internal staff? It would be good if I could obtain a list of those external domains so I can add them to the allowed list as soon as I turn on ‘Allow only specific domains’. I dont want to turn it on to have a flurry of emails/complaints that staff cant talk to certain externals. Thanks in advance!

By: Christian

Christian — Fri, 09 Sep 2022 21:32:45 +0000

It’s been said everyday is a school day 🙂 Never looked at the .ldb files. Thanks for sharing those links!

By: Tony Redmond

Tony Redmond — Fri, 09 Sep 2022 20:32:21 +0000

In reply to Stephane. That's a real Friday evening publishing error... Fixed now!

By: Stephane

Stephane — Fri, 09 Sep 2022 20:28:46 +0000

Hey @Tony….. Think you left out a keyword that implies so much context, I was wondering what u meant by 270 users until I clicked on the link, the million part is missing 🙂

“Given the size of the Teams installed base (the last reported number was 270 (million) monthly active users), it’s no mystery why attackers might consider Teams a nice target”

By: Tony Redmond

Tony Redmond — Fri, 09 Sep 2022 19:58:37 +0000

In reply to Tony Redmond.

Or (free) https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-and-skype-logging-privacy-issue/

By: Tony Redmond

Tony Redmond — Fri, 09 Sep 2022 19:57:33 +0000

In reply to Christian.

For anyone wanting to get acquainted with what’s in the Teams local cache: https://onlinelibrary.wiley.com/doi/10.1111/1556-4029.15014?af=R

By: Christian

Christian — Fri, 09 Sep 2022 18:56:40 +0000

Thanks for the reply Tony. I’ve never seen any clear text message data in the cache so had to ask.