GIF files in Microsoft Teams are not just annoying, they are also very dangerous

 GIF files in Microsoft Teams are not just annoying, they are also very dangerous

GIF files in Microsoft Teams are not just annoying, they are also very dangerous
image source google by-https://www.paradavisual.com/


In almost every work chat, there's that one person who thinks they're a bit of a GIF lord. If you're lucky, your workplace might actually have one. The one who makes the perfect response GIF every time, making your day and the days of everyone else on the channel.

 Chances are, you have someone who responds to everything with weird obnoxious GIFs and makes it their life's crusade to control the pronunciation of the format.


Well, regardless of legendary status, it's time to cast a wary eye on these GIFs, happy colleagues. Bleeping Computer (opens in new tab) details an exploit in Microsoft Teams that uses GIFs to potentially install malware, execute commands, and even mine data using these fun moving images. 

Yeah, that random and totally ridiculous reaction GIF Blimothy posted last week doesn't seem so harmless anymore, does it.


Fortunately, there are several steps to the process. First of all the target should install the older one to execute the commands given through these spicy GIF files. Considering that phishing attacks are still successful in this 2022, the year of our Lord of the GIFs (opens in a new tab), it's not that unlikely. 

Especially considering they probably come from a reliable working source, it's probably an innocent and easy mistake.


From here, this program will run a continuous scan of the Microsoft Team log file, looking for any malicious GIFs. These GIFs will get a reverse shell from attackers. 

This will contain base64-encoded commands stored in Team GIFs, which will then perform malicious actions on the target machine. You can learn more about how these GIFShell attacks work on Bobby Rauch's Medium Discover page. (opens in a new tab)

When a GIF is received, it is stored in the chat log, which is then scanned by the program. After seeing the generated GIF, it will extract that base64 code and execute and decompress the text. 

This text will point back to the remote GIF that is embedded in Teams poll cards. Because of the way it works, it will connect to the attacker to get the GIF, allowing the attackers to decode the file and gain access to further attacks.


Essentially, it takes a bunch of different exploits available in Teams to work, so hopefully there should be a fix from Microsoft soon. A change in where Teamlogs are stored or how an app retrieves GIFs would likely be enough to throw a wrench in any criminal's case. For now, at least you have a real reason to tell someone off for using weird GIFs.

Reactions

Post a Comment

0 Comments