Phishing with GIFShell in Microsoft Teams

People love GIFs. We add them to emails, texts, tweets, and Slack chat groups all day long as we chat away with co-workers, friends, and family. We use them as a communication tool to show emotion and convey a tone when a plain text message might fall flat. If a picture says a thousand words, a GIF might be close to a million.

GIFs are pervasive these days: people maintain GIF folders so they can quickly grab one that captures the moment, the subreddit r/gifs has 21.5 million subscribers, and more than 10 million GIFs are shared on Giphy daily.

So, why are we, a cybersecurity company, talking about GIFs? GIFs have become a new vehicle for threat actors to penetrate systems. It’s incredibly inventive on the side of threat actors. They’ve leveraged a medium we’ve grown accustomed to using – a medium people would never think of as containing a threat. Although the cyber community often warns about phishing scams that come from malicious links and files, now it’s time to add GIFs to that list. A seemingly innocuous GIF of Michael Jackson eating popcorn could be a potential threat, as was recently demonstrated with a GIFShell attack.

What Have You Done

How does a GIFShell Attack work?

In short, the GIFShell attack technique allows hackers to exploit a number of Microsoft Teams features and exfiltrate data through GIFs. What should raise eyebrows and alarm bells is that this attack route can’t be detected with network monitoring tools or endpoint detection and response solutions (EDRs) because requests come from the Microsoft website just as other Teams communications do.

Now, let’s break it down. Here’s what happens, as explained in Bleeping Computer:

  • First, a threat actor needs a compromised computer which is easy to acquire via a typical phishing scam that gets a user to install a malicious stager. That stager is developed to execute commands and upload the output to a Microsoft Teams webhook via a GIF URL.
  • The hacker then creates a Teams tenant and sends a message with a manipulated GIF to a Teams user through a GIFShell Python script. The GIF appears completely legitimate to the recipient; however, it contains execute commands.
  • By default, Microsoft Teams’ log stores the GIF and message. Since Teams runs as a background process, the user doesn’t even have to open the GIF to enable the execute commands.
  • The stager continuously monitors the logs, extracting and running the base64 encoded command on a user’s device. Then the GIFShell PoC converts the command to base64 text – the same base64 text as the filename for the GIF embedded in Microsoft Teams that the stager sent to the hacker’s Microsoft Teams webhook.
  • To retrieve the GIF, Microsoft servers connect to the attacker’s server URL, which uses the same name as the base64 encoded output execution command.
  • Finally, the threat actor’s server gets the request, automatically decoding the file name and showing the command’s output as it runs on the victim’s machine.
  • Hackers can easily repeat the process by sending other GIFs with embedded execute commands.

What’s Microsoft doing about this attack pattern?

After being notified of this attack method by the researcher who identified it, Microsoft responded that while problematic, it does “not meet the bar for an urgent security fix.” However, Microsoft did note that it “may take action in a future release to help mitigate this technique.”

From Microsoft’s point of view, the attacks “are post-exploitation and rely on a target already being compromised.” Because the attack doesn’t bypass security boundaries, Microsoft concluded that the issue should be dealt with by the product team, not the security team.

What this means is that companies need to handle this potential exploitation method on their own. It’s imperative to prepare and secure networks because, as with most security threats, it’s not a matter of whether a company will be attacked but when it will be.

Threats come from every direction, all the time

The reality is that threat actors are observers of human behavior and use that against us in many ways. We know how pervasive phishing attacks are and that hackers use them successfully because busy employees open emails, download files, or click on links without thinking it through.

Hackers also know that developers download NPM packages so often that they don’t always meticulously check package names. Recently, hackers used that habit to launch a massive supply chain attack through 200 malicious NPM packages with similar but inauthentic package names.

To further drive home the need for organizations to be proactive about their overall security, consider the fact that threat actors routinely scan for CVEs in as little as 15 minutes from the time they are publicly announced. As most security teams have a lot on their plate already and are not constantly attached to announcement sites the way threat actors are, they are slower to react, failing to patch systems before hackers attack.

What steps should companies take to protect themselves?

Although there is no immediate fix for the GIFShell attack (or many others), there are simple workarounds organizations can use to increase their defenses.

External access block: The easiest way to ensure you avoid this type of attack is to change the external settings in Teams, blocking access to any company not included in the ‘allow list.’ Although this strategy disables some functionality, it provides more security.

Cybersecurity awareness training: Even the best defenses are only as strong as the weakest link (a.k.a. an untrained employee). Employees want to do what they can, but since most aren’t engrossed in security, they can’t take proactive steps if they don’t know about threats. Hold regular training sessions to educate the entire company.

Disable NTLM and/or enable SMB signing: On numerous occasions, hackers have used NTLM relay attacks to steal credentials so disabling NTLM authentication adds an additional layer of protection. Bolster that by enabling SMB signing, which shows whether a message has been tampered with.

A security philosophy for all

Live by this motto from CYREBRO’s Threat Intelligence Analyst Ziv Nachman:

“It is always advisable to be on the lookout for suspicious links and user abnormalities, even in office platforms. Do not assume that a message received from an organization user is intrinsically clean.”

As you know, there is no surefire way to keep an organization 100% protected 100% of the time. Hacker methods evolve quickly, vulnerabilities are constantly being discovered, and humans are fallible – those are the facts. What you must do as a security professional is take every precaution possible, stay on top of news and alerts, patch systems immediately, and boost awareness across the entire company, especially highlighting how attacks often start from innocent-looking sources.

Sign Up for Updates