The Microsoft vulnerability exploited a compromised subdomain and a malicious GIF that was sent to team users. There, an attacker could access all the data associated with his team account and spread to other accounts and groups.
First of all, an attacker has to get a GIF into the team chat. Because he already has access to a team account of the organization or because he manages to convince an account holder to post a GIF created by the attacker in the chat. In addition, the attacker needs control of a subdomain at teams of Microsoft. Large companies have such subdomains that are vulnerable to attack in one way or another. Researchers at Microsoft found many subdomains that could be hacked by incorrect DNS settings.
Microsoft Teams Vulnerability
Such a gap would theoretically allow attackers to struggle through an entire company and access tons of sensitive data such as business secrets or passwords of the organizations. Hackers can attack accounts until they have control over a high level employee’s team account and then order to transfer funds or provide financial information. With the calendar functionality integrated in teams, such scams can then be tailored to the everyday work of the organization in order to attract less attention. Especially now that more and more companies are switching to Microsoft teams and similar services and almost all employees are working in the home office, such attacks have a particularly high chance of success.
To exploit the vulnerability, an attacker would have had to gain access to a Microsoft subdomain. In the past there have been several cases in which the company did not have very good control over the subdomains. An attack would not have been so unlikely. The Microsoft vulnerability has now been fixed. The fix was resolved as soon as possible, as Microsoft has shared its findings with the Security Response Center.