Microsoft Teams and the GIFShell attack
A new attack chain uses GIF images in Teams (Microsoft) to deliver malicious files (which look harmless to the user) and execute commands to steal data.
The main component of this attack is a GIF image (GIFShell) that contains a hidden script.
The threat actors can bypass security controls and get the users to unwillingly open the door to a badly-intentioned stager that will execute the commands embedded in the GIF.
One of the reasons this attack is possible is that Microsoft does not scan the content of those GIFs. So, their appearance is pretty normal, but they hide malicious commands.
Understanding the issue
This is how the attack stars:
The attacker sends a message to a Teams user that contains a crafted GIF. It looks totally inoffensive, but it includes commands to execute on the target’s computer. Team users, therefore, are deceived by these “friendly” attachments.
Once the message is received, the GIF is stored in Microsoft Teams logs.
From there, it will detect and extract base64 commands. This new “tenant” will contact new victims, via chat or meetings, by sending those malicious GIFs.
The attackers will know when Microsoft servers try to get the GIFs back.
Traffic is considered legitime, and security software won’t detect any issues because all these requests are made from the Microsoft website.
Tackling the problem
This issue was reported to the company in June 2022. However, they decided not to prioritise it yet. Instead, they will consider it for the next Windows version.
Bobby Rauch, the cybersecurity consultant who discovered this chain attack, recommends the following:
-Avoid clicking on attachments from unknown senders.
-An implementation of a Safe Attachments policy and a complex password policy to prevent attacks.