Microsoft has said that it will not update or delay fixes for many security problems affecting Microsoft Teams’ link preview functionality discovered since March 2021. Fabian Bräunlein, the co-founder of German IT security company Positive Security, revealed four vulnerabilities that led to Server-Side Request Forgery (SSRF), URL preview spoofing, IP address leak (Android), and denial of service (DoS) nicknamed Message of Death (Android).
Bräunlein reported the four issues to the Microsoft Security Response Center (MSRC), which examines complaints of vulnerabilities in Microsoft products and services. “The vulnerabilities allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address and DoS’ing their Teams app/channels,” the researcher said.
Microsoft only patched one of the four vulnerabilities, which allowed attackers to acquire access to targets’ IP addresses if they used Android devices. In terms of the other flaws, Microsoft stated that the SSRF wouldn’t be fixed in this version, but a patch for DoS would be addressed in a future release.
Threat actors might leverage the URL preview spoofing flaw for phishing attempts or disguise harmful URLs, but Teams users were not affected. Since July, teams have been employing Defender for Office 365 Safe Links security to protect users from URL-based phishing attempts, which may explain the company’s choice not to resolve the spoofing problem that may be used in phishing attacks.
While Safe Links protection is available to all Teams users and works for links shared in conversations, group chats, and Teams channels, it must be activated in the Microsoft 365 Defender portal by creating a Safe Links policy.