GIFShell Attack Lets Hackers Create Reverse Shell through Microsoft Teams GIFs

A cybersecurity researcher identified a new technique that could let threat actors stealthily execute commands and carry out phishing attacks through corrupted GIFs on Microsoft Teams.

The technique, dubbed GIFShell, was discovered by cybersecurity consultant Bobby Rauch and involves weaponizing Microsoft Teams by chaining several vulnerabilities. This could allow perpetrators to perform further attacks on compromised devices, such as dropping malicious payloads, executing arbitrary code remotely, and exfiltrating data through seemingly harmless GIFs.

GIFShell employs a series of Microsoft Teams vulnerabilities, such as bypassing Microsoft Teams security controls, spoofing attachments, exploiting insecure URI schemes, and exfiltrating data via GIF file names.

Seeing as it requires chaining several Teams shortcomings, carrying out the attack is challenging, albeit not impossible. Arguably the most devious component of the attack, labeled GIFShell, could let criminals create a reverse shell on the victim’s machine piped through malicious Teams messages GIFs.

To achieve this, perpetrators must first deliver and install a stager on the victim’s machine. As Rauch demonstrated, this could be easily achieved by abusing Microsoft Teams’ lack of permission enforcement and attachment spoofing vulnerabilities.

Once planted, the stager continuously scans Teams log files for incoming base64-encoded GIFs, decodes them, and executes injected malicious commands on the compromised machine.

Subsequently, the output of the commands is encoded to base64 and used as a file name for a maliciously crafted GIF. The GIF’s URL is then embedded into a Microsoft Teams Card, which the stager sends to the attacker’s public Teams webhook.

To render flash cards, Microsoft Teams connects to the attacker’s server address to retrieve the GIF, which allows the GIFShell stager to monitor the output of executed commands on compromised devices.

Microsoft Teams runs in the background, so the attacker requires no user interaction to execute malicious commands. To make the attack even harder to detect, the malicious requests are carried out through legitimate Microsoft domains used for regular Teams communication.

The researcher notified Microsoft of the findings, but the company said it wouldn’t fix the vulnerabilities as the attack doesn’t bypass security boundaries.

"No security boundary appears to be bypassed. The product team will review the issue for potential future design changes, but this would not be tracked by the security team," Microsoft told Rauch in an email, according to BleepingComputer.