All of these applications use the open source project, Squirrel, which is used to oversee the installation and updating of routines, while the NuGet package manager is used to administer files.
The issue has yet to be patched: a security researcher who disclosed the issue to Microsoft, Reegun Richard, was planning to hold off publishing until it was patched, but with two other security researchers having also identified and published exploits, he said he was detailing the issue to help blue teamers.
Published the writeup on latest Microsoft Teams vulnerable application design.
Once a threat actor has created a suitable package they can go into the target application folder and executing the command update.exe, the application will automatically update and download to the malicious package containing the shellcode to the ‘packages’ folder.
Richard wrote in a security blog update on the vulnerability that: “I decided finally to make it public since I spent most of the time in this and without fixing this, the adversaries/insiders likely use this technique for EDR/IDS evasion, So this post will make the blueteam-defense team aware of this situation.”