GIFs in Microsoft Teams not just annoying, actively dangerous

News
By
last updated

Multiple exploits have been discovered linked to GIFs.

hacker with mask typing
(Image credit: Twitter)

Almost every workplace chat has that one person who considers themselves a bit of a GIF lord. If you're lucky, your workplace may actually have one. Someone who nails the perfect response GIF every time, brightening your day and the days of all others in the channel. More likely you have someone who replies to everything with weird unpleasant GIFs and considers it their life's crusade to police the pronunciation of the format.

Well regardless of legendary status, it's time to cast a wary glare over those GIF happy coworkers. Bleeping Computer tells of an exploit in Microsoft Teams that uses GIFs to potentially install malicious files, perform commands, and even extract data via these fun moving images. Yeah that random and completely out of place reaction GIF Blimothy posted last week doesn't seem so innocuous now, does it.

Thankfully there are a few steps to the process. First of all the intended target needs to install a stager to execute the commands given via these naughty GIFs. Given phishing attacks are still successful in this, the year of our GIF lord 2022, it's not that unlikely. Especially considering these likely come from a trusted in work source, it's likely an innocent and easy mistake to make. 

From here that stager will run continuous scans on the Microsoft Team logs file, looking for any evil GIFs. These GIFs will have been given a reverse shell by the attackers. This will contain base64 encoded commands which are stored in Team's GIFs, that then perform malicious actions on the target machine. You can find out more about how these GIFShell attacks work via the discover, Bobby Rauch's, Medium page. 

Perfect peripherals

(Image credit: Colorwave)

Best gaming mouse: the top rodents for gaming
Best gaming keyboard: your PC's best friend...
Best gaming headset: don't ignore in-game audio

Once the GIF is received, it's stored in the chat log which is then scanned by the stager. Seeing the crafted GIF it will then extract that base64 code and execute and extract the text. This text will point back to a remote GIF which is embedded in Teams Survey cards. Due to how these works, it then will connect back to the attacker to retrieve the GIF, allowing the attackers to decode the file and gain access to further attacks.

Essentially this takes a bunch of different available exploits in Teams to work, so hopefully a fix should be coming from Microsoft soon. A change to where Teamlogs are stored or how the program retrieves GIFs would likely be enough to throw a spanner in the works of any evildoers. For now, at least you have an actual reason to tell someone off for using weird GIFs.

TOPICS
Hope Corrigan
Hope Corrigan
Hardware Writer

Hope’s been writing about games for about a decade, starting out way back when on the Australian Nintendo fan site Vooks.net. Since then, she’s talked far too much about games and tech for publications such as Techlife, Byteside, IGN, and GameSpot. Of course there’s also here at PC Gamer, where she gets to indulge her inner hardware nerd with news and reviews. You can usually find Hope fawning over some art, tech, or likely a wonderful combination of them both and where relevant she’ll share them with you here. When she’s not writing about the amazing creations of others, she’s working on what she hopes will one day be her own. You can find her fictional chill out ambient far future sci-fi radio show/album/listening experience podcast right here. No, she’s not kidding. 

Read more
Windows 11's new emoji button in the taskbar.
You might mock Microsoft's new emoji button in Windows 11 but as someone that's explained how to quickly access emojis and special characters too many times, I get it
Three Magikarp Pokémon
The FBI used self-destruct on malware infecting over 4,000 US computers, it's super effective
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
The player wrestles with an alligator.
Delta Force has a list of tech it'll ban you to the shadowrealm for using, including the usual cheating software but also way weirder stuff like 'USB drives' [Update: The devs say it's fine, actually]
One YouTuber has been poisoning AI tools that access her videos with .ass subtitle files and you can too
An image of a smartphone screen displaying voice cloning using artificial intelligence in progress.
FBI recommends coming up with a 'secret word or phrase' to make sure your family know you're you and not some hellish AI copycat
Latest in Browsers
Google campus sign
Google asks Trump's DOJ to please, please, please reconsider parting it from Chrome
ANKARA, TURKIYE - SEPTEMBER 06: In this photo illustration, Chrome logo is being displayed on a mobile phone screen in front of computer screen in Ankara, Turkiye on September 06, 2023.
uBlock and a handful of other popular Google Chrome extensions have been axed overnight, but some of them just require turning off and on again
Opera GX, Opera's gaming browser
Morbid curiosity made me swap from Chrome to Opera's 'gaming browser' but its early 2000s custom ringtone vibes give me the ick
The Opera Air 'mindfulness browser' on top of a blurred background
Opera has unveiled 'the world’s first browser with mindfulness at its core' and, to my surprise, I might be convinced
MOUNTAIN VIEW, CALIFORNIA - AUGUST 22: A view of Google Headquarters in Mountain View, California, United States on August 22, 2024.
Google being pushed to sell off Chrome is likely a good thing, but don't cheer on the decision just yet
Chrome Browser Logos
Google has changed its mind about dropping support for third-party cookies in Chrome, after years of trying to make it happen
Latest in News
The Spy from Team Fortress 2 holds up a folder with an accusatory expression.
Steam users react ecstatically to update that lets them access their heaving game notes via the web, also it fixes Monster Hunter Wilds video recording
The black and pink Razer Seiren Mini microphone next to each other on a blue background
The adorable budget Razer microphone I've recently bought is now even cheaper and the only downside is it's not pink like mine
Henry gets a haircut.
Kingdom Come: Deliverance 2's March patch brings zoomer haircuts for Henry and the return of the hardcore mode that can kill you before the game even starts
Lenovo Yoga Solar PC
Lenovo's clever solar-powered laptop can turn 20 minutes of sunlight into an hour of video playback but sun-powered mobile gaming still isn't a goer
Google campus sign
Google asks Trump's DOJ to please, please, please reconsider parting it from Chrome
Mister Fantastic fridge mode
Marvel Rivals announces a new limited-time game mode, Clone Rumble, and manages to pull off a comic caper that players only thought was possible in theory
More about browsers
Google campus sign

Google asks Trump's DOJ to please, please, please reconsider parting it from Chrome
ANKARA, TURKIYE - SEPTEMBER 06: In this photo illustration, Chrome logo is being displayed on a mobile phone screen in front of computer screen in Ankara, Turkiye on September 06, 2023.

uBlock and a handful of other popular Google Chrome extensions have been axed overnight, but some of them just require turning off and on again
The Spy from Team Fortress 2 holds up a folder with an accusatory expression.

Steam users react ecstatically to update that lets them access their heaving game notes via the web, also it fixes Monster Hunter Wilds video recording
See more latest
Most Popular
The Spy from Team Fortress 2 holds up a folder with an accusatory expression.
Steam users react ecstatically to update that lets them access their heaving game notes via the web, also it fixes Monster Hunter Wilds video recording
Blades of Fire's protagonist Aran prepares to attack with a very large sword.
Blades of Fire is a God of War-style action game coming to PC from the creators of Metroid Dread, and it's almost definitely a spiritual successor to Severance
The black and pink Razer Seiren Mini microphone next to each other on a blue background
The adorable budget Razer microphone I've recently bought is now even cheaper and the only downside is it's not pink like mine
Lenovo Yoga Solar PC
Lenovo's clever solar-powered laptop can turn 20 minutes of sunlight into an hour of video playback but sun-powered mobile gaming still isn't a goer
Henry gets a haircut.
Kingdom Come: Deliverance 2's March patch brings zoomer haircuts for Henry and the return of the hardcore mode that can kill you before the game even starts
Google campus sign
Google asks Trump's DOJ to please, please, please reconsider parting it from Chrome
Mister Fantastic fridge mode
Marvel Rivals announces a new limited-time game mode, Clone Rumble, and manages to pull off a comic caper that players only thought was possible in theory
Asus TUF Gaming GeForce RTX 5070 OC Edition
Best Buy outs a load of non-MSRP RTX 5070 cards and many are priced above $700 and up near RTX 5070 Ti levels. Ouch!
An AI-generated image, posted to Activision's socials, of a fake Crash Bandicoot game that doesn't actually exist.
Finding a new and inventive way to annoy everybody, Activision has company use AI to generate fake advertisements for games that don't exist
New Alienware OLED monitors
Alienware launches two new OLED gaming monitors and one of them is its cheapest yet at $550