Microsoft Teams accounts could be attacked via malicious GIFs


Microsoft has fixed a subdomain takeover vulnerability in its collaboration platform Microsoft Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts.

The attack simply involved tricking a victim into viewing a malicious GIF image for it to work, according to researchers at CyberArk who also created a proof-of-concept (PoC) of the attack.

Summary :

  • As more and more business is conducted from remote locations, attackers are focusing their efforts on exploiting the key technologies – like Zoom and Microsoft Teams – that companies and their employees depend on to stay connected.
  • We found that by leveraging a subdomain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to scrape user’s data and ultimately take over an organization’s entire roster of Teams accounts.
  • Since users wouldn’t have to share the GIF – just see it – to be impacted, vulnerabilities like this have the ability to spread automatically.
  • This vulnerability would have affected every user who uses the Teams desktop or web browser version.
  • CyberArk worked with Microsoft Security Research Center under Coordinated Vulnerability Disclosure after finding the account takeover vulnerability and a fix was quickly issued.

Attack work flow:


To solve this problem, there is a way to fetch image content with JavaScript code as a blob and then set the src attribute of the IMG tag to the created blob.

Another way to solve this is by creating an access token to the resource in the form of a hash or similar.

Microsoft Teams developers decided to go with a combination of different solutions and have already fixed the issue.

Reference Article by CyberArk :

2 thoughts on “Microsoft Teams accounts could be attacked via malicious GIFs

Leave a Reply

Your email address will not be published. Required fields are marked *