Threat Watch

Microsoft Teams Zero-Click Remote Code Execution Vulnerability

A Remote Code Execution (RCE) bug has been found in Microsoft Teams that can compromise a computer with no user interaction required. The vulnerability was discovered and submitted to Microsoft by Evolution Gaming engineer Oskars Vegeris, and it has been patched in the latest update to Teams. This bug allows adversaries to execute arbitrary code by merely sending a message to a targeted Teams user.  This cross-platform RCE bug takes advantage of a Cross Site Scripting (XSS) flaw present in the Teams “@mentions” functionality, coupled with a JavaScript based RCE payload. By viewing this message, the attack is triggered and allows the attacker to execute code in the context of the intended victim.


This was not the first RCE bug patched in Microsoft Teams, so Binary Defense recommends ensuring that Teams has received the most recent update as soon as possible. To catch attackers’ post-compromise activity after a vulnerability such as this has been exploited, it is important to have a 24/7 Security Operations Center in-house or partner with a managed security solution, such as Binary Defense’s own Security Operations Task Force in order to detect any suspicious activity following code execution.