ms teams is now a C2 (command-and-control)

It's funny how you can make a whole video showing how it can be used to execute commands to compromised hosts and half the comments think the software itself is infecting people.

electrified

Another great thing is that there is less blocking in teams. Often pages are blocked by the company but the preview in teams renders the website.

jrjuergenross

15:43 id's are visible in Inspector in right panel

odm

At 13:02 your bearer token becomes clear for 1 frame.

LuizMoratelli

John, I like it when you follow up with some defender recommendations, eg. create a Power Platform data policy to prevent the use of webhooks.
I use them occasionally for logic apps to ingest data from 3rd party tools, but I prefer outbound REST requests to pull (vs push) when possible.
99.9% of end users have no need for creating webhooks so this should be blocked and/or logged.
Great demo, thanks!!!

simple-security

That is a nightmare for every firewall.

buldozzer

15:41 blur on the left side and ok to read on right side :D

mlords

So let me get this straight: Compromise the users machine to install the "agent" software. Then, create a Teams channel, then create a webhook based workflow in that channel, and *then* complete all the rest of the setup? Interesting demo, but takes multiple administrative actions to complete (as well as the user actually accepting the chat to boot).

Edit to add even *more* steps that need to be done.

me

I just got an ad of you on your video. Nice

randykitchleburger

of all things, i didn't expect ms teams to be vulnerable to this..

arrowslasharrow

I’ve watched this video 4 times already. I’m really trying to grasp the terminology and use this in an upcoming interview with a company that deals with mainly Microsoft tools. Thanks John!

MamuttTech

Oh perfect glad I have 4 different attack vectors on my computer now.

CreampuffgameZ

That's actually insanely smart. Using Microsoft servers so web requests look more legitimate for Anti Malware and EDR solutions is so clever and I don't know why no one thought of it before.

Ihatmyif

only 5 mins into the video & this is very cool, hats off to cxnturi0n!

larrydoyle

It looks like your IP isn't blurred at 8:31 - but was initially blurred when you connected via SSH

joshy-x

I think this hack will affect businesses where the hacker has already penetrated the network. Businesses that are already blocking external organizations or blocking sharing with external organizations won't have an issue.

VypeReaper

this is HUGE. Cant wait to start testing this out

-willplaysgames

Hello i think that in minute 15:42 you can see the text in the selected text burp suite?.

TMIDM

Companies are moving to Rocket Chat to work with internal collab (and same workspace to omni-channel)

felipecguimaraes

13:13 It is different. EMEA is short for Europe, the Middle East and Africa.

VulcanOnWheels