All About HackingBlackhat Hacking ToolsFree CoursesHacking

Hacking Microsoft teams vulnerabilities: A step-by-step guide by Blackhat pakistan 2023

Today we will cover Hacking Microsoft teams vulnerabilities in this article.

We live in an age where technology is a part of our lives and a primary valuable resource for personal and professional tasks. The use of online video conferencing platforms such as Zoom and Microsoft Teams has exploded in recent months, largely due to the COVID-19 pandemic.

This article provides a detailed step-by-step guide on how to hack Microsoft Teams using a simple GIF image. The vulnerability, published in April to mid-2020, could be exploited by a remote agent, and Microsoft quickly patched the bug within days of publication. However, this scenario should be understood as a real threat facing not only Microsoft Teams, but all applications that maintain the same modus operandi.

How to Hack Microsoft Teams[Hacking Microsoft teams vulnerabilities]

The disclosed bug is a worm-like vulnerability that allows criminals to take over an organization’s entire list of Teams accounts simply by sending victims a malicious link to an innocent-looking GIF image.

Even if a criminal does not have sensitive information from a team account, the flaw can be used to perform an extended attack on an organization’s accounts just like a worm, obtaining account tokens and then gaining access to all chat sessions of targeted users. Figure 1 below shows how this attack can be performed against a large company.

Figure 1: Microsoft Teams attack workflow
  • In detail, the attack can be exploited by following these steps:
  • A malicious GIF image is prepared and created by criminals and sent to the first victim during a video conference via chat.
  • The victim opens and sees a message with an embedded GIF image. At this point, the criminal impersonates the victim and spreads the GIF payload in the
  • organization’s Teams accounts as a worm, infecting a large group of employees.
  • The message is spread and other victims are affected.
  • The victim team’s tokens are sent to the criminal’s side.
  • Criminals can use the exfiltrated tokens to gain access to the victim’s information, contacts, messages, and so on.

As described above, the vulnerability lies in a simple GIF image and the way Teams handles image source authentication. Below is the initial payload.

Figure 2: GIF image sent to the first victim.

In detail, when the application is opened (both mobile and desktop), a JSON Web Token (JWT) – an access token – is created during this process. This token allows the user to view images shared by the individual or others in the conversation/meeting.

Therefore, a cookie named “authtoken” that grants access to the source server “” can be misused to create a “skype token” that allows you to send messages, create groups, add new users or unsubscribe users from groups, change permissions in groups via the Teams API and so on.

Figure 3: JWT token exfiltrated by using this vulnerability.

Next step: The takeover attack

Once this privileged token is obtained, it can be abused to interact with other internal Microsoft ecosystem systems. In order to carry out a successful attack, two subdomains were identified as vulnerable to takeover attacks:


By obtaining this point, a criminal can force users to access subdomains that have been hijacked. Then the victim’s browser sends the authentication token cookie to the criminal’s remote server. A Skype token can now be created to access all the victim’s team account data.

Details including confidential information, meeting and calendar information, competitive data, secrets, passwords, private information, business strategy, plans and procedures can now be used to execute other kinds of attack vectors.


Final thoughts

From there, unauthorized access via remote services such as VPN and email can provide an internal access option. Criminals can perform a set of pre-deployed tasks to take advantage of this initial position. For this reason, monitoring should be considered a surgical tool to prevent scenarios of this nature.

Since video conferencing software is used to maintain direct communication between employees, clients, and even family, keeping the software updated to avoid exploring the latest attack vectors is a must for everyone.

The use of endpoint security solutions such as antivirus on host-IDS agents should be considered as a way to prevent the success of emerging threats and tricks used by criminals.


Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams, CyberArk

Como comprometer o Microsoft Teams apenas com uma imagem GIF, Segurança Informática

Leave a Reply

Your email address will not be published. Required fields are marked *