Select Page

Organizations and security teams work to protect themselves from any vulnerability, and often don’t realize that risk is also brought on by configurations in their SaaS apps that have not been hardened. The newly published GIFShell attack method, which occurs through Microsoft Teams, is a perfect example of how threat actors can exploit legitimate features and configurations that haven’t been correctly set. This article takes a look at what the method entails and the steps needed to combat it.

The GifShell Attack Method

Discovered by Bobby Rauch, the GIFShell attack technique enables bad actors to exploit several Microsoft Teams features to act as a C&C for malware, and exfiltrate data using GIFs without being detected by EDR and other network monitoring tools. This attack method requires a device or user that is already compromised.

Learn how an SSPM can assess, monitor and remediate SaaS misconfigurations and Device-to-SaaS user risk.

The main component of this attack allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft’s own infrastructure.

images from Hacker News