Microsoft Team’s Unpatched URL Spoofing Vulnerability
What is URL Spoofing?
When an attacker creates a fake URL or it looks like a legitimate URL but it leads to an attacker’s website is called URL spoofing. Most of the time URL spoofing is used to carry out phishing attacks and steal sensitive information such as emails, credentials, addresses, and bank account details. just have a look at common types of URL Spoofing.
Now let’s have a look at How I found URL spoofing vulnerability in Microsoft Team.
I was in the lecture that day and unable to concentrate on it. So, I started reading InfoSec writeups. yeah, you read that correctly that I started reading because my lectures were online and we were using Microsoft Team. So in excitement, I wanted to try what I read and end up finding this vulnerability. Now it’s showtime.
Steps to Reproduce URL Spoofing vulnerability in Microsoft Team.
- Log in to Microsoft Team and select any user to send a message. Now insert any link in the message Textarea and close the preview. (here we use https://www.microsoft.com/ ).
- Now click on send and intercept that request in burpsuite. in the burpsuite you can see the message’s payload in cleartext. here you can see that Microsoft uses an anchor tag for URL creation in chat which is easily edited by anyone.
3. Now edit payload to redirect users to the malicious website so that it looks like a legitimate website. Here I have redirected users to a malicious website (https://evil.com/) while users will see it as microsoft.com. You can refer edited image of the payload.
4. Now click on the forward button in burpsuite & send a message. For verifying it, go to the web application, iOS or Android applications, or Windows app.
I have reported this vulnerability on 28th September 2021 and the MSRC team responded that they have put this intentionally. Look at the below image to see the response from the MSRC team.
But, they accept the report and I got an acknowledgment from Microsoft for reporting this vulnerability.
Now, what are you waiting for GO FOR IT and try it on your own.