November 29, 2022


Your Partner in the Digital Era

GIFShell attack makes reverse shell employing Microsoft Groups GIFs

A new attack system called ‘GIFShell’ makes it possible for risk actors to abuse Microsoft Groups for novel phishing attacks and covertly executing instructions to steal knowledge working with … GIFs.

The new assault state of affairs, shared solely with BleepingComputer, illustrates how attackers can string collectively various Microsoft Teams vulnerabilities and flaws to abuse respectable Microsoft infrastructure to provide destructive data files, instructions, and accomplish exfiltrating knowledge by using GIFs. 

As the information exfiltration is carried out by means of Microsoft’s individual servers, the site visitors will be harder to detect by protection software program that sees it as authentic Microsoft Team’s targeted traffic.

Total, the assault system utilizes a assortment of Microsoft Groups flaws and vulnerabilities:

  • Bypassing Microsoft Teams protection controls permits exterior users to deliver attachments to Microsoft Groups end users.
  • Modify despatched attachments to have end users download information from an external URL fairly than the created SharePoint connection.
  • Spoof Microsoft groups attachments to look as harmless data files but obtain a malicious executable or doc.
  • Insecure URI techniques to enable SMB NTLM hash theft or NTLM Relay attacks.
  • Microsoft supports sending HTML foundation64 encoded GIFs, but does not scan the byte content material of individuals GIFs. This allows malicious commands to be delivered in just a ordinary-seeking GIF.
  • Microsoft suppliers Groups messages in a parsable log file, located locally on the victim’s equipment, and accessible by a reduced-privileged consumer.
  • Microsoft servers retrieve GIFs from remote servers, enabling facts exfiltration through GIF filenames.

GIFShell – a reverse shell via GIFs

The new assault chain was found out by cybersecurity guide and pentester Bobby Rauch, who located a lot of vulnerabilities, or flaws, in Microsoft Groups that can be chained with each other for command execution, info exfiltration, stability manage bypasses, and phishing assaults.

The most important ingredient of this attack is known as ‘GIFShell,’ which allows an attacker to create a reverse shell that provides destructive commands by means of foundation64 encoded GIFs in Groups, and exfiltrates the output through GIFs retrieved by Microsoft’s personal infrastructure.

To create this reverse shell, the attacker ought to to start with persuade a consumer to install a malicious stager that executes commands, and uploads command output through a GIF url to a Microsoft Groups web hook.  On the other hand, as we know, phishing attacks function very well in infecting equipment, Rauch arrived up with a novel phishing attack in Microsoft Teams to help in this, which we describe in the future portion.

GIFShell functions by tricking a consumer into loading a malware executable named the “stager” on their system that will repeatedly scan the Microsoft Groups logs located at $*.log.

Microsoft Teams log folder
Microsoft Groups log folder
Resource: BleepingComputer

All acquired messages are saved to these logs and are readable by all Windows user groups, meaning any malware on the unit can entry them.

When the stager is in spot, a danger actor would develop their personal Microsoft Groups tenant and speak to other Microsoft Groups end users exterior of their group. Attackers can simply reach this as Microsoft will allow exterior communication by default in Microsoft Groups.

To initiate the assault, the threat actor can use Rauch’s GIFShell Python script to ship a message to a Microsoft Groups person that consists of a specially crafted GIF. This genuine GIF graphic has been modified to include commands to execute on a target’s machine.

When the goal receives the information, the information and the GIF will be stored in Microsoft Team’s logs, which the malicious stager displays.

When the stager detects a concept with a GIF, it will extract the foundation64 encoded commands and execute them on the system. The GIFShell PoC will then get the output of the executed command and change it to foundation64 text.

This foundation64 textual content is made use of as the filename for a remote GIF embedded in a Microsoft Teams Study Card that the stager submits to the attacker’s general public Microsoft Teams webhook.

As Microsoft Teams renders flash playing cards for the person, Microsoft’s servers will link back again to the attacker’s server URL to retrieve the GIF, which is named using the foundation64 encoded output of the executed command.

The GIFShell server functioning on the attacker’s server will acquire this ask for and quickly decode the filename allowing for the attackers to see the output of the command operate on the victim’s unit, as shown down below.


For case in point, a retrieved GIF file named ‘dGhlIHVzZXIgaXM6IA0KYm9iYnlyYXVjaDYyNzRcYm9iYnlyYXVJa0K.gif’ would decode to the output from the ‘whoami’ command executed on the infected product:

the person is: 

The danger actors can proceed applying the GIFShell server to send extra GIFs, with even further embedded instructions to execute, and keep on to get the output when Microsoft attempts to retrieve the GIFs.

As these requests are produced by the Microsoft web page,, utilized for common Microsoft Teams conversation, the targeted traffic will be observed as reputable and not detected by security software.

This makes it possible for the GIFShell assault to covertly exfiltrate knowledge by mixing the output of their instructions with respectable Microsoft Teams community interaction.

Even even worse, as Microsoft Groups runs as a history course of action, it does not even need to have to be opened by the user to obtain the attacker’s commands to execute.

The Microsoft Teams logs folder have also been located accessed by other courses, together with small business checking program, these kinds of as Veriato, and likely malware.

Microsoft acknowledged the study but stated it would not be fixed as no security boundaries have been bypassed.

“For this circumstance, 72412, although this is terrific analysis and the engineering crew will endeavor to improve these parts more than time, these all are post exploitation and depend on a focus on currently currently being compromised,” Microsoft advised Rauch in an e mail shared with BleepingComputer.

“No protection boundary seems to be bypassed.  The merchandise crew will critique the situation for likely long run layout modifications, but this would not be tracked by the safety crew.”

Abusing Microsoft teams for phishing attacks

As we formerly said, the GIFShell assault requires the set up of an executable that executes instructions obtained within the GIFs.

To aid in this, Rauch found out Microsoft Groups flaws that authorized him to send out malicious documents to Groups customers but spoof them to search as harmless pictures in phishing assaults.

“This exploration demonstrates how it is possible to send remarkably convincing phishing attachments to victims by means of Microsoft Groups, without any way for a person to pre-screen regardless of whether the connected attachment is destructive or not,” describes Rauch in his writeup on the phishing system.

As we earlier said in our dialogue about GIFShell, Microsoft Groups permits Microsoft Groups buyers to information end users in other Tenants by default. 

Even so, to reduce attackers from making use of Microsoft Teams in malware phishing assaults, Microsoft does not let exterior consumers to ship attachments to members of one more tenant.

Although participating in with attachments in Microsoft Groups, Rauch learned that when someone sends a file to an additional person in the exact same tenant, Microsoft generates a Sharepoint hyperlink that is embedded in a JSON Publish ask for to the Teams endpoint.

This JSON information, though, can then be modified to include any download link an attacker wants, even exterior inbound links. Even even worse, when the JSON is sent to a person via Teams’ discussion endpoint, it can also be utilised to send attachments as an exterior user, bypassing Microsoft Teams’ safety constraints.

For case in point, the JSON below has been modified to exhibit a file name of Xmas_Get together_Picture.jpeg but really provides a remote Christmas_Party_Picture.jpeg………….exe executable.

Microsoft Teams JSON to spoof an attachment
Microsoft Teams JSON to spoof an attachment
Source: Bobby Rauch

When the attachment is rendered in Teams, it is shown as Xmas_Party_Photograph.jpeg, and when highlighting it, it will proceed to demonstrate that name, as demonstrated down below.

Spoofing a JPEG file
Spoofing a JPEG file
Resource: Bobby Rauch

Having said that, when the person clicks on the connection, the attachment will down load the executable from the attacker’s server.

In addition to making use of this Microsoft Teams spoofing phishing assault to mail malicious data files to exterior customers, attackers can also modify the JSON to use Home windows URIs, such as ms-excel:, to instantly start an software to retrieve a doc.

Rauch says this would let attackers to trick people into connecting to a distant community share, allowing risk actors steal NTLM hashes, or local attackers complete an NTLM relay assault to elevate privileges.

“These allowed, probably unsafe URI strategies, mixed with the lack of permissions enforcement and attachment spoofing vulnerabilities, can allow for a A single Simply click RCE by using NTLM relay in Microsoft Groups,” Rauch explains in his report on the spoofing attack.

Microsoft not quickly fixing bugs

Rauch explained to BleepingComputer that he disclosed the flaws to Microsoft in Could and June of 2022, and irrespective of Microsoft expressing they were valid issues, they decided not to resolve them instantly.

When BleepingComputer contacted Microsoft about why the bugs were not mounted, we were being not shocked by their response about the GIFShell attack method, as it requires the product to by now be compromised with malware.

“This form of phishing is crucial to be conscious of and as constantly, we advise that consumers apply great computing patterns online, which includes exercising caution when clicking on hyperlinks to web internet pages, opening mysterious documents, or accepting file transfers.

We have assessed the tactics reported by this researcher and have determined that the two mentioned do not meet up with the bar for an urgent stability take care of. We’re regularly looking at new approaches to greater resist phishing to enable make sure consumer safety and may consider action in a future release to aid mitigate this system.” – a Microsoft spokesperson. 

However, we were being stunned that Microsoft did not take into consideration the capacity of external attackers to bypass protection controls and deliver attachments to a different tenant as not anything that should be promptly mounted.

Additionally, not immediately fixing the means to modify JSON attachment cards so that Microsoft Groups recipients could be tricked to obtain data files from remote URLs was also shocking.

Nonetheless, Microsoft has remaining the doorway open up to resolving these problems, telling BleepingComputer that they may possibly be serviced in long term versions.

“Some lower severity vulnerabilities that do not pose an fast hazard to shoppers are not prioritized for an speedy stability update, but will be considered for the following edition or launch of Home windows,” described Microsoft in a assertion to BleepingComputer.