Microsoft Teams is keeping security tokens in plain text… and more UPDATED 23 September 2022

The original post was published on 16 September 2022

This is a real problem, no software or system should keep any security token in plain text, any time during operation. The user base for Microsoft Teams is in excess of 270 million users – we are part of that number are as all of our security clients, as it is the main way we support and work with them.

Undermining Microsoft Teams Security by Mining Tokens (vectra.ai)

Exploiting this error can give threat actors access to accounts even if MFA is enabled and impacts the Windows, MacOS and Linus desktop apps. There is no news of a patch yet.

Update 23 September 2022

Here is some further analysis on the issue from Xme at SANS Internet Storm Centre looking to see oif the reported exploits were found in the wild – spoiler alert, they were!

Kids Like Cookies, Malware Too! – SANS Internet Storm Center


This is following close on the heels of this issue impacting Microsoft Teams:

GIFShell attack creates reverse shell using Microsoft Teams GIFs (bleepingcomputer.com)

This attack, explained at Bleeping Computers, uses several Teams vulnerabilities to exfiltrate information via a GIFShell attack – a malicious command shell via GIFs – and because it is using Microsoft’s infrastructure it is difficult to detect. It all starts with a phishing attack to convince the user to install the first stage of the attack.

It is a good job that Microsoft is making the updating of Microsoft 365 more effective:

Microsoft 365 automatic updates – Smart Thinking Solutions

Clive Catton MSc (Cyber Security) – by-line and other articles

Further Reading

Kids Like Cookies, Malware Too!