Researchers from Positive Security have outlined four bugs in the Microsoft Teams platform that made it vulnerable since March. The bugs allowed attackers to spoof links, which opened the door to Denial of Service (DoS) attacks for Android users. Two of the four bugs discovered affected Microsoft Teams being used on any device and allow for server-side request forgery (SSRF) and spoofing, researchers said. The other two, named “IP Address Leak” and “Denial of Service aka Message of Death” by researchers, affect only Android users. The SSRF vulnerability allowed researchers to leak information from Microsoft’s local network and was discovered when they tested the /urlp/v1/url/info endpoint for SSRF. Attackers can leverage the spoofing bug to ramp up phishing attacks or hide malicious links in content that is sent to users. To abuse the Android DoS bug, threat actors can send messages to someone using Teams through the Android app that includes a link preview with an invalid preview link target. This will crash the app when the user tries to view the channel. Finally, attackers can use the IP address leak bug to intercept messages that include a link preview to point the thumbnail URL to a non-Microsoft domain.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in