GIFShell Attack Through Microsoft Teams: What Is It and How You Can Protect Yourself from It

Adaptive Shield Team

Another day, another attack method. 

The Short Story

GIFShell attack technique enables bad actors to exploit several Microsoft Teams features to act as a C&C for malware, and exfiltrate data using GIFs without being detected by EDR and other network monitoring tools. The technique assumes an already-compromised target.

GifShell Attack Architecture & Process

Discovered by Bobby Rauch, the main component of this attack allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft’s own infrastructure. 

How does it work?

Microsoft’s response

As reported by Lawrence Abrams in BleepingComputer, Microsoft agrees that this attack method is a problem, however, it “does not meet the bar for an urgent security fix.” They “may take action in a future release to help mitigate this technique.” Microsoft is acknowledging this research but asserting that no security boundaries have been bypassed. 

While Rauch claims that indeed “two additional vulnerabilities discovered in Microsoft Teams, a lack of permission enforcement and attachment spoofing”, Microsoft argues, “For this case… these all are post exploitation and rely on a target already being compromised.” Microsoft is asserting that this technique is using legitimate features from the Teams platform and not something they can mitigate currently. 

In accordance with Microsoft’s assertions, indeed this is the challenge many organizations face — there are configurations and features that threat actors can exploit if not hardened. A few changes to your tenant’s configurations can prevent these inbound attacks from unknown Teams tenants.

How to Protect Yourself from the GifShell Attack Method

There are security configurations within Microsoft that if hardened can help to prevent this type of attack. 

1. Disable External Access:

Microsoft Teams by default allows for all external senders to send messages to users within that tenant. Many organization admins likely are not even aware that their organization allows for External Teams collaboration. You can harden these configurations: 

Microsoft Teams External Access Configurations 
Figure 1: Microsoft Teams External Access Configurations 

2. Gain Device Inventory Insight

Endpoint security tools are  your first line of defense against suspicious activity such as accessing the device’s local teams log folder which is used for data exfiltration in GIFShell. You can ensure your entire organization’s devices are fully compliant and secure by using your XDR / EDR / Vulnerability Management solution, like CrowdStrike or Tenable. 

You can even go a step further and integrate an SSPM (SaaS Security Posture Management) solution, like Adaptive Shield, with your endpoint security tools  to gain visibility and context to easily see and manage the risks that stem from these types of configurations, your SaaS users and their associated devices.

About the writer

Adaptive Shield Team

Businesses today run nearly every facet of their operations using a wide array of interconnected SaaS apps. Adaptive Shield’s team is here to keep you informed as well as help you secure your SaaS estate.