This serious Microsoft Teams security flaw could let external accounts infect your calls, so beware

News
By published

Beware of outsiders infecting your Microsoft Teams calls

security
(Image credit: Shutterstock / Sashkin)

Users have been warned that Microsoft Teams has a security vulnerability that could be abused as a vector for delivering malware.

Security researchers at Jumpsec discovered a way to use the video conferencing software to inject malware into an organization's network from a Teams account that is outside of the organization in question.

Using default configurations, the attack leverages the ability of an organization's Microsoft Teams client to accept communications from 'external tenants' - those using Teams accounts from outside the company.

Protecting your business from the biggest threats online

Protecting your business from the biggest threats online
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

View Deal

Microsoft Teams external communications

The Jumpsec report notes that while this exploit can be used to perpetrate social engineering and phishing attacks, it can also be used to send malware payloads to another inbox, despite Teams having protections to block files coming from external tenants.

The researchers found a way to bypass these restrictions, by altering the recipient ID both internally and externally in the POST request of a message, tricking Teams into thinking an external account is actually internal. 

read more

> Microsoft Teams is being hacked to crack Office 365 accounts - here's how to stay safe

> Using Microsoft Teams GIFs really is an awful idea

> There's finally a fix to this serious Microsoft Teams problem

During their tests, the researchers were able to successfully deliver a command and control payload into another organization's inbox, as part of a covert operation. 

There is no need to bother with crafting a convincing phishing message to lure the victim, and if the threat actor were to register a domain similar to the target's, then it may fool workers into thinking the link came from within the company, and therefore safe to download. 

After reporting the exploit to Microsoft, the tech giant responded that "it does not meet the bar for immediate servicing," signifying the relatively low risk it thinks it poses. It has not yet confirmed when it will likely provide a patch. 

Communication with external tenants can be disabled by navigating to the Microsoft Teams Admin Center and then to External Access. If you do not wish to block all external communications, then you can choose to communicate with trusted domains only by adding them to the allow list. 

The researchers also submitted their findings to the Microsoft Teams feedback portal, where users can up-vote the post in the hope of pressing Microsoft to attend to the issue quicker. 

Lewis Maddison
Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Phishing
Russian cyberattackers spotted hitting Microsoft Teams with new phishing campaign
Microsoft Teams
Microsoft Teams is finally introducing a spam and phishing alert - here’s what you need to know
Outlook
Dangerous Microsoft Outlook flaw could let hackers send out malware via email
A person at a laptop with a cybersecure lock symbol floating above it.
A worrying security flaw could have left Microsoft SharePoint users open to attack
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
Latest in Pro
cybersecurity
What's the right type of web hosting for me?
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
construction
Building in the digital age: why construction’s future depends on scaling jobsite intelligence
Latest in News
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
More about pro
Toshiba Canvio Flex 4TB

I reviewed the Toshiba Canvio Flex 4TB – it's big on storage but stuck in the past
Branch Ergonomic Chair Pro

I tested the Branch Ergonomic Chair Pro, and while it's a great chair for the price, it comes with one flaw I can't overlook
Ray-Ban Meta Smart Glasses

Samsung's rumored smart specs may be launching before the end of 2025
See more latest
Most Popular
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Micron SOCAMM memory module
World's biggest RAM vendors develop superior memory form factor exclusively for Nvidia, sorry Intel and AMD
Asus Vivobook 18
The Asus Vivobook 18 is the only affordable 18-inch laptop right now, and it comes with a powerful CPU no other laptop has
Peter Claffey as Ser Duncan the Tall in The Knight Of The Seven Kingdoms
A Knight Of The Seven Kingdoms: The Hedge Knight – everything we know so far about HBO's Game of Thrones prequel
Vinpower iXFlash and iXFlash Cube
This tiny 2TB USB Flash drive can both charge and backup your iPhone at the same time
Compal Adapt X modular laptop
One of the largest laptop manufacturers releases concept pictures of Adapt X, a modular laptop in the same vein as Framework