Scammers Leveraging Microsoft Team GIFs in Phishing Attacks

Dubbed GIFShell; the technique allows attackers to create a reverse shell to facilitate malicious command delivery via base64-encoded GIFs in MS Teams.

byDeeba Ahmed

September 12, 2022

2 minute read

Cybersecurity consultant Bobby Rauch has discovered a new attack tactic in which threat actors exploit Microsoft Teams vulnerabilities. According to Rauch, attackers can easily leverage Microsoft Teams GIFs through these vulnerabilities to launch phishing, command execution, and data filtration schemes.

What is GIFShell?

Rauch has named the newly discovered attack technique involving MS Teams GIFs as GIFShell. The technique allows attackers to create a reverse shell to facilitate malicious command delivery via base64-encoded GIFs in MS Teams.

Using a malicious stager executable, the attackers can establish their dedicated MS Teams tenant and start the attack using the GIFShell Python script.

GIFShell installs malware on the device and can sneakily extract data under the guise of harmless GIF images. Rauch noted that the attack entails the exploitation of multiple vulnerabilities in MS Teams to create a chain of command executions.

Furthermore, attackers only need to infiltrate MS Teams and any of the GIFs. Utilizing Microsoft’s web infrastructure, they can unpack commands and install them directly on computers.

Microsoft’s Response

In a blog post, Rauch stated that he notified Microsoft in May 2022. However, Microsoft claims that immediately releasing fixes for the attack is impossible. Moreover, the tech giant stated that the attack techniques “reported” by Rauch don’t meet the requisites for developing an urgent security fix.

“We’re constantly looking at new ways to better resist phishing to help ensure customer security and may take action in a future release to help mitigate this technique.”
Microsoft

Therefore, the best line of defense for you is not to open any GIFs shared by someone on MS Teams.