Researchers used a GIF to prove they could access Microsoft Teams user data

Zoom isn’t the only video conferencing service attracting scrutiny from security researchers.
Microsoft Active Directory
(Flickr user <a href="">Thomas Hawk</a> / CC-BY-2.0)

Zoom isn’t the only video conferencing service attracting scrutiny from security researchers.

Microsoft Teams, the technology giant’s professional collaboration tool, included a software bug that could have made it possible for hackers to steal data. Hackers could have used a malicious GIF to scrape user data from Microsoft Teams user accounts, spreading through an organization’s entire roster of employees who use the service, researchers from CyberArk announced Monday.

The issue existed for three weeks between the end of February through mid-March, when much of the U.S. started to telework in response to the coronavirus pandemic.

“The amount of data that goes into these applications is enormous and often includes confidential information from user names and passwords to top-secret business information – making them prime targets for attackers,” Omer Tsarfati, a CyberArk researcher, said in a blog post.


CyberArk did not point to any evidence the issue had been exploited in the wild. Microsoft issued a patch for the flaw on April 20.

According to a proof-of-concept published by CyberArk, the issue involved the way that Microsoft Teams conducted security checks on images. Researchers determined that, by spoofing domains on a Microsoft server, attackers could impersonate legitimate members of a Teams client organization. Then, by convincing real Teams users to visit the hijacked domain, hackers could tempt them into clicking an image which ultimately displayed sensitive information.

In its demonstration, CyberArk demonstrated how a malicious Donald Duck GIF could be used to infiltrate a Teams workflow. From there, attackers could spread automatically through a client system, much like a self-replicating kind of malware known as a worm.

“The fact that the victim only needs to see the crafted message to be impacted is a nightmare from a security perspective,” Tsarfati’s blog post stated. “Every account that could be impacted by this vulnerability could also be a spreading point to all other company accounts.”

Researchers did not point to any evidence that attackers had exploited the bug in the real world.


These findings come after attackers have leveraged weaknesses in Zoom to barge into users’ video conferences to advocate white supremacy or otherwise disrupt innocuous meetings. The rise of “Zoombombing,” combined with that company’s encryption issues, exemplified how some technology companies had failed to prioritize data protection amid a huge uptick in user numbers.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts