View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Microsoft Teams Vulnerability Let Hackers “Take Over Entire Roster of Teams Accounts”

Hacker could "ultimately take over an organization’s entire roster of Teams accounts"

By CBR Staff Writer

Microsoft’s collaboration platform Teams contained a vulnerability that allowed hackers to send out a GIF that only had to been seen, in order for it to send a valuable access token back to a compromised server.

This could then be used to escalate an attack until a hacker was able to “take over an organisation’s entire roster of Teams accounts.”

The bug, disclosed to Microsoft on March 23, was discovered and reported by US-based account security firm CyberArk, and quietly patched by Redmond a month later, on April 20, the security company said today.

It involved grabbing API authorisation tokens then leveraging a subdomain takeover vulnerability in Microsoft Teams, in a somewhat complex but highly effective attack for a dedicated adversary.

teams vulnerabilityMicrosoft Teams is a collection of enterprise collaboration tools, comprising Office 365, a SharePoint Online site and a document library to store team files so a compromise of an account could have significant consequences.

Normally if an attacker can get a user to visit a compromised sub-domain then they can get the victim’s browser to send account data or authentication tokens. These can be used to start further security escalations. However, the attack path identified by CyberArk only (after a series of initial token-grabbing moves) requires that a user views a malicious GIF.

CyberArk note in its report that: “The fact that the victim only needs to see the crafted message to be impacted is a nightmare from a security perspective. Every account that could have been impacted by this vulnerability could also be a spreading point to all other company accounts. The GIF could also be sent to groups (a.k.a Teams), which makes it even easier for an attacker to get control over users faster and with fewer steps.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

The attack involved abusing how Teams authenticates the right of users to view images, using two cookies called “authtoken” and “skypetoken_asm.” An attacker can then take over two unsecured sub-domains within the Teams platform and using these to obtain the authentication tokens belonging to user accounts, which can be used to gain access and scrape data.

A Microsoft spokesperson commented by email that: “We addressed the issue discussed in this blog and worked with the researcher under Coordinated Vulnerability Disclosure. While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe.”

Microsoft Teams Vulnerability

CyberArk first found two subdomains that – due to misconfigured DNS records – were open to takeover. The sub-domains were and

Every time you log into Teams a number of authentication tokens are created. In order to authenticate images Teams creates two authentication tokens ‘authtoken’ and ‘skypetoken_asm.’

The issue is that the ‘skypetoken’ is responsible for making valuable requests to the Teams server, while the authtoken itself is used to create the ‘skypetoken’.

When a user viewed an image that was send from the compromised sub-domains their account forwards the ‘authtoken’, which inadvertently gives the attacker the ability to create the ‘Skypetoken’.

CyberArk researchers managed to obtain both tokens and with the access token (authtoken) and the skype token was “able to make APIs calls/actions through Teams API interfaces, which lets you send messages, read messages, create groups, add new users or remove users from groups, change permissions in groups, etc.”

Geraint Williams, CISO of IT service management company GRCI told Computer Business Review via email: “With tools like Teams, it is so important to ensure that only approved and regulated users can access the platform and post in collaboration activities – it all boils down to having robust user access controls and strong authentication processes in place.

“This extends to any other individuals you are collaborating with on Teams who are from outside of your organisation.”

He added: “Even if you have a trusted relationship with that individual, you need to be as confident in their security controls as you are your own – otherwise, this kind of attack could be leveraged through a sub-domain of a trusted partner. Ensuring that you keep libraries up to date, patch software regularly, have strong authentication processes for all users and maintain secure domains are good starting points in your organisation’s cyber defence.”

Cyberark’s detail write-up of the exploit is here.

See Also: Squirrel Exploit Leaves Microsoft Teams Vulnerable to Privilege Escalation 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.