Organizations and security teams struggle to protect themselves against any vulnerabilities and often don’t realize that the risk is also caused by configurations in their SaaS applications that have not been hardened. The recently released GIFShell attack method, which occurs via Microsoft Teams, is a perfect example of how threat actors can exploit legitimate features and configurations that have not been properly defined. This article examines what the method entails and the steps needed to combat it.

The GifShell attack method

Discovered by Bobby Rauch, the GIFShell attack technique allows malicious actors to leverage several features of Microsoft Teams to act as a C&C for malware and exfiltrate data using GIFs without being detected by EDR and other network monitoring tools. This attack method requires an already compromised device or user.

Learn how an SSPM can assess, monitor, and remediate SaaS misconfigurations and Device-to-SaaS user risks.

The core component of this attack allows an attacker to create a reverse shell that delivers malicious commands via base64-encoded GIFs into Teams, and exfiltrates the output via GIFs retrieved by Microsoft’s own infrastructure.

How it works?

  • To create this reverse shell, an attacker must first compromise a computer to plant the malware – meaning the bad actor must convince the user to install a malicious stager, as with phishing, which executes commands and downloads the command output via a GIF URL to a Microsoft Teams web hook.
  • Once the transfer tool is in place, the threat actor creates their own Microsoft Teams tenant and contacts other Microsoft Teams users outside the organization.
  • The threat actor can then use a Python GIFShell script to send a message to a Microsoft Teams user containing a specially crafted GIF. This legitimate GIF image has been modified to include commands to run on a target’s machine.
  • When the target receives the message, the message and the GIF will be stored in the Microsoft Team logs. Important to note: Microsoft Teams runs as a background process, so the GIF doesn’t even need to be opened by the user to receive commands from the attacker to execute.
  • The stager monitors the Teams logs and when it finds a GIF, it extracts and executes the commands.
  • Microsoft’s servers will reconnect to the attacker’s server URL to retrieve the GIF, which is named using the base64-encoded output of the executed command.
  • The GIFShell server running on the attacker’s server will receive this request and automatically decode the data allowing attackers to see the output of the command run on the victim’s device.

Microsoft’s response

As Lawrence Abrams reported in BleepingComputer, Microsoft agrees that this attack method is a problem, however, it “falls short of the bar for an urgent security fix”. They “may take steps in a future release to help mitigate this technique.” Microsoft acknowledges this research but claims that no security boundaries were circumvented.

While Rauch asserts that indeed “two additional vulnerabilities discovered in Microsoft Teams, a lack of permissions enforcement and attachment spoofing,” Microsoft asserts, “In this case…this is all post-exploitation and relies on an already compromised target”. Microsoft says this technique uses legitimate features of the Teams platform and not something they can currently mitigate.

In line with Microsoft’s claims, this is indeed the challenge that many organizations face – there are configurations and features that threat actors can exploit if not hardened. A few changes to your tenant configurations can prevent these inbound attacks from unknown Teams tenants.

How to protect against the GIFShell attack

There are security configurations within Microsoft that, if tightened, can help prevent this type of attack.

1 — Disable external access: Microsoft Teams, by default, allows all external senders to send messages to users in this tenant. Many organization admins probably don’t even know that their organization allows external team collaboration. You can harden these configurations:

GIFShell Attack
Figure 1: Microsoft Teams external access configurations
  • Disable external domain access — Prevent members of your organization from finding, calling, chatting, and meeting with people outside your organization in any domain. While not as seamless a process as through Teams, it better protects the organization and is worth the extra effort.
  • Disable unmanaged external Teams to start chat — Block Teams users in your organization from communicating with external Teams users whose accounts aren’t managed by an organization.

2 – Get an overview of the device inventory: You can ensure that all devices in your organization are fully compliant and secure by using your XDR / EDR / Vulnerability Management solution, such as Crowdstrike or Tenable. Endpoint security tools are your first line of defense against suspicious activity, such as accessing the device’s Local Teams Logs folder, which is used for data exfiltration in GIFShell.

You can even go a step further and integrate a SaaS Security Posture Management (SSPM) solution, like Adaptive Shield, with your endpoint security tools to gain visibility and context to easily see and manage the risks that arise from these types of setups. , your SaaS users and their associated devices.

How to automate protection against these attacks

There are two methods to combat misconfigurations and harden security settings: manual detection and remediation or an automated SaaS Security Posture Management (SSPM) solution. With the multitude of configurations, users, devices and new threats, the manual method is an unsustainable drain on resources, leaving security teams overwhelmed. However, an SSPM solution, such as Adaptive Shield, allows security teams to have full control over their SaaS applications and configurations. The right SSPM automates and streamlines the process of monitoring, detecting, and remediating SaaS misconfigurations, SaaS-to-SaaS access, SaaS-related IAM, and device-to-SaaS user risk, according to standards industry and company.

In cases such as the GifShell attack method, Adaptive Shield’s configuration error handling capabilities enable security teams to continuously assess, monitor, identify and alert in the event of an error. configuration (see figure 1). Then they can quickly correct through the system or use a ticketing system of their choice to send relevant details for a quick correction.

GIFShell Attack
Figure 2. Panoramic view of SaaS application hygiene

Similarly, Adaptive Shield’s Device Inventory feature (shown in Figure 2) can monitor devices in use across the enterprise and report any device risk to SaaS while correlating this information with user roles and permissions and the SaaS applications used. This allows security teams to have a holistic view of user and device posture to protect and secure high-risk devices that may pose a critical threat in their SaaS environment.

GIFShell Attack
Figure 3. Device inventory

Find out how Adaptive Shield SSPM can protect your SaaS application ecosystem.