At the beginning of September, a security researcher identified a potential security flaw with “GIFShell”, which can be used to send GIF images via Microsoft Teams. The research found that threat actors are actively exploiting the flaw, and using it to launch phishing attacks by sharing files that include covert commands for the theft of data. In practice, what this means is that cybercriminals are attaching malware to what appear to be harmless GIF image files, but which in reality will distribute illicit commands, and harvest company data, in the event that they are clicked. These attacks get through because the method of delivery makes them harder for security systems to spot.
The reason that this exploit works is that threat actors can exploit a tiny flaw, and use it to create a bogus Microsoft Teams tenant with which to launch the attack. It means that future files (such as the sharing of GIFs) will appear to originate from within the company, and will therefore seem more trustworthy. When clicked, the file is then able to download and execute, carrying out whatever nefarious commands it has been programmed to do.
Preventing the attacks
While Microsoft is looking at a security patch (although they have rated it low-risk and therefore low-priority), some system settings can help mitigate attacks like these. Microsoft 365 security features, (Microsoft Defender) has a Safe Attachments policy which will serve to prevent “drive-by” installations i.e. it will require user permissions to instigate a download. Your IT partner can also ensure that NTLM (NT LAN Manager) is disabled, or Server Message Block is enabled to prevent downloads, and of course, every user should have a robust, complex password policy.
Settings aside, regular cybersecurity training remains a top priority for avoiding these types of exploits. Human error is still the primary contributor to cybersecurity incidents, and according to one report, employees are unlikely to report potential incidents, either because they are afraid, or because they don’t care. Cyber training not only improves knowledge in specific areas, but also heightens overall awareness, making users less trusting, and less likely to click on unexpected content. This, coupled with a “zero trust” user policy, can support your robust security practices.