MS Teams contains vector for sending malicious files. Microsoft claims it's fine

A vulnerability has been discovered in Microsoft Teams that allows for the delivery of malware through the software according to security researchers.

The exploit takes advantage of the ability of Microsoft Teams to accept communications from external tenants, allowing attackers to inject malware into an organization's network from a Teams account outside of the targeted organization.

Although Microsoft Teams has built-in protections to block files from external tenants, the researchers found a way to bypass these restrictions by altering the recipient ID in the POST request of a message, tricking Teams into treating an external account as internal.

In Microsoft Teams, an "external tenant" refers to an organization or entity that uses Teams but is separate from the organization's own dedicated instance of Microsoft 365 services.

Organizations have the option to allow or restrict interactions with external tenants in MS Teams. This means that users within an organization can communicate with users from other organizations that are also using Teams, even if they are not part of the same tenant, which is useful for collaboration with partners, clients, vendors, or any other external entities.

The exploit can be used not only for social engineering and phishing attacks but also to send malware payloads to unsuspecting recipients within an organization, potentially fooling them into thinking the files are safe to download.

After reporting the vulnerability to Microsoft, the tech giant responded that it does not consider it an immediate risk and has not provided a timeline for patching the issue.

To mitigate the risk, organizations can disable communication with external tenants or limit communication to trusted domains by configuring the settings in the Microsoft Teams Admin Center.