In June 2023, security researchers from Jumpsec published a technique that allowed external attackers to deliver malware directly to Microsoft Teams users, bypassing the platform's file-sending restrictions for external tenants. The technique exploited a gap between Teams' client-side restrictions and server-side enforcement, allowing attackers to send malicious files to employees of target organizations through what appeared to be normal Teams messages.
The finding was significant because it exposed a blind spot in enterprise security architectures. Organizations had spent years hardening their email security with spam filters, attachment scanning, URL sandboxing, and phishing detection. But Microsoft Teams, which had become the primary communication platform for millions of workers during and after the pandemic, had far fewer security controls. Attackers who could reach employees through Teams could bypass the entire email security stack.
The Attack Technique
Microsoft Teams allows organizations to communicate with external tenants by default. This "External Access" feature enables employees to receive messages from users in other Microsoft 365 organizations. While Teams restricted external users from sending files, the researchers discovered that this restriction was enforced client-side, not server-side.
By modifying the POST request used to send messages, an external attacker could change the internal and external recipient IDs in the message payload, causing Teams to treat the message as an internal communication. This allowed the attacker to send files directly to the target, bypassing the external file-sending restriction.
The attack flow was straightforward. The attacker creates a Microsoft 365 tenant (which is free). They identify a target employee's email address. They send a Teams message to the target from the external tenant. They modify the message request to bypass external file restrictions. The malicious file appears in the target's Teams chat as if sent by an internal colleague or at minimum, appears as a normal message.
From the target's perspective, they receive a Teams message with a file attachment. Depending on the social engineering pretext, the message might appear to come from a legitimate business contact, a partner organization, or a new colleague.
Why Teams Is an Attractive Attack Vector
The shift to Teams as a primary communication platform created a security imbalance that attackers have been quick to exploit.
Trust differential. Users treat Teams messages with more trust than email. Years of phishing awareness training have conditioned employees to be suspicious of unexpected emails. But a Teams message feels more immediate, more personal, and more trustworthy. The implicit message is: "This person is part of my organization or a trusted partner, or they wouldn't be on Teams."
Security control gap. Email passes through multiple security layers: spam filters, malware scanning, URL rewriting, sandbox detonation, and impersonation detection. Teams messages pass through far fewer controls. Most organizations haven't implemented equivalent security inspection for their collaboration platforms.
Rich interaction. Teams supports file sharing, screen sharing, video calls, and application integrations. Each of these capabilities is a potential attack vector that doesn't exist in email. An attacker in a Teams conversation can be far more interactive and convincing than an attacker limited to email.
Pandemic-driven adoption. The rapid adoption of Teams during the COVID-19 pandemic meant many organizations deployed it without the security review that would typically accompany a new enterprise platform. Default configurations were left in place, and security teams focused on more immediate threats.
The Storm-0324 Campaign
The theoretical risk became a real-world threat in September 2023, when Microsoft reported that the threat group Storm-0324 (also known as TA543 or Sagrid) was using Microsoft Teams to deliver phishing lures. Storm-0324 is a financially motivated access broker that sells access to compromised organizations to ransomware operators.
Storm-0324's Teams-based campaign used social engineering lures themed as invoices, payments, and shipping documents, similar to their historical email-based campaigns but now delivered through a channel with fewer security controls and higher user trust.
Microsoft responded by implementing improvements to Teams' security controls, including enhanced notification of external senders and restrictions on external file sharing. But the incident demonstrated that the threat was not theoretical.
Broader Collaboration Platform Risks
The Teams vulnerability was part of a larger pattern of security gaps in collaboration platforms.
Slack has faced similar issues with external channel access and application integrations that can be exploited for data exfiltration or phishing.
Zoom has dealt with "Zoombombing" and various vulnerabilities in its client applications that could be exploited for code execution or information disclosure.
Google Workspace has seen abuse of Google Docs, Sheets, and Drive sharing features for phishing and malware distribution.
The common thread is that collaboration platforms were designed for ease of communication, not security. Features that make collaboration seamless, like external sharing, automatic file synchronization, and rich integrations, also create attack vectors that are difficult to secure without restricting functionality.
Defensive Measures
Restrict external access. If your organization doesn't need to receive Teams messages from external tenants, disable External Access entirely. If external communication is necessary, restrict it to specific trusted domains rather than allowing all external tenants.
Implement collaboration platform security tools. Deploy security solutions that inspect Teams messages for malicious content, phishing URLs, and suspicious files. Several vendors now offer this capability as email security extends to collaboration platforms.
Update awareness training. Include collaboration platform threats in security awareness training. Employees need to understand that Teams messages can be malicious, especially from unknown external contacts.
Monitor Teams activity. Enable and review Microsoft 365 audit logs for Teams activity. Look for unusual patterns including messages from new external tenants, file sharing from external users, and high-volume messaging from unknown sources.
Enforce safe file handling. Implement policies that restrict file types that can be shared in Teams. Block executable files, scripts, and other high-risk file types from being shared through the platform.
How Safeguard.sh Helps
Safeguard.sh focuses on securing the software supply chain, which includes the development tools and collaboration platforms that teams use daily. Our platform helps organizations understand their security posture across the entire development lifecycle. When collaboration platforms become attack vectors for delivering malware or phishing to development teams, the risk extends to the software supply chain. Safeguard.sh's continuous monitoring and policy enforcement help ensure that even if an attacker reaches your team through a collaboration platform, the software your team builds and deploys maintains its integrity.