cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Hackers exploit Microsoft Teams vulnerability in GIFShell attack

A security researcher has reported the novel “GIFShell” attack technique can be easily exploited by threat actors via Microsoft Teams GIFs to launch phishing attacks, data exfiltration, and command execution.

user iconReporter
Tue, 13 Sep 2022
Hackers exploit Microsoft Teams vulnerability in GIFShell attack
expand image

Cyber security consultant Bobby Rauch discovered numerous security vulnerabilities within Microsoft Teams have been chained to create the attack, with GIFShell the attack's primary component, enabling the creation of a reverse shell that facilitates malicious command delivery through base64-encoded GIFs in MS Teams.

Rauch noted that a malicious stager executable could then allow attackers to establish their dedicated MS Teams tenant, before commencing the attack using the GIFShell Python script.

Once the GIF is received, it's stored in the chat log which is then scanned by the stager.


According to Rauch, the crafted GIF will then extract that base64 code and execute and extract the text. This text will point back to a remote GIF which is embedded in Teams Survey cards. Due to how these work, it then will connect back to the attacker to retrieve the GIF, allowing the attackers to decode the file and gain access to further attacks.

The seemingly harmless, fun moving images can be exploited by threat actors via Microsoft Teams to potentially install malicious files, perform commands, and even extract data.

A change to where Teamlogs are stored or how the program retrieves GIFs would likely be enough to throw a spanner in the works of any evildoers.

The intended target needs to install a stager to execute the commands given via GIFs. Given phishing attacks are still successful, it's not that unlikely, especially considering these likely come from a trusted work source, it's actually likely an innocent and easy mistake to make.

From there the stager will run continuous scans on the Microsoft Team logs file, looking for any "evil" GIFs. These GIFs will have been given a reverse shell by the attackers. This will contain base64 encoded commands which are stored in Teams' GIFs, that then perform malicious actions on the target machine.

Fixes will not be issued immediately, according to Microsoft, despite the newly discovered attack.

"We've assessed the techniques reported by this researcher and have determined that the two mentioned do not meet the bar for an urgent security fix.

"We're constantly looking at new ways to better resist phishing to help ensure customer security and may take action in a future release to help mitigate this technique," Microsoft said.

According to Rauch, it takes a number of different available exploits in Teams to work, and "hopes a fix should be coming from Microsoft soon"

[Related: Report reveals by 2032, industrial cyber security market set to be US$43.5bn]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.