Malicious GIFs left Microsoft Teams open to hackers

Microsoft has already fixed the vulnerability. We'll keep on our toes when viewing GIFs, just to be safe.


Not all GIFs are created equally — something Microsoft has learned the hard way, as of late. The company found and addressed a vulnerability that allowed users to send malicious GIF images to users, according to SecurityWeek. The vulnerability was first researched by security software company, CyberArk.

Microsoft confirmed in a statement that the issue has been resolved and that no instances of its use have actually been spotted in the wild. Based on the research that uncovered the vulnerability, this is no surprise: the hack is pretty touchy and would need many stars to align in order to work.

The more surprising part of the vulnerability is that the viewer doesn’t actually need to download anything for it to open up their system to attack. Just viewing the GIF in a Teams chat could have opened up an entire organization to hijacking. Luckily the hacker would need to line up quite a few other variables for the attack to actually work.

Lots of prerequisites — It’s a little disconcerting that Microsoft’s supposedly airtight chat system could leave you open to hacking with just a few clicks. But the good news is it was never really that easy for an attacker to access your system.

The GIF is only the beginning. CyberArk.

First the attacker would need to be invited to your company’s Teams subdomain. CyberArk posits this could take the form of a scam job interview or the like, but it’s a pretty big if — if the attacker isn’t invited to the Teams subdomain, they can’t send the specialized GIF, and the attack is off.

Even once the attacker has obtained access there’s still plenty more that could go wrong. The hacker would need to locate a hackable subdomain in order to carry out the attack. In its testing, CyberArk only found two such subdomains open to attack. The firm says there could be hundreds more out there, but that’s just a theory.

Microsoft is on it — Microsoft has confirmed that the two hijackable subdomains located by CyberArk have now been secured. CyberArk told SecurityWeek that it believes the attack could still work if an attacker were able to locate another subdomain suitable for the hack.

Microsoft is no stranger to hacks, and at this point the company is great at responding to them before they even become an issue. The company’s Coordinated Vulnerability Disclosure, which allows Microsoft to work with researchers on privately testing corrective measures, is particularly helpful in this effort.

There’s a pretty slim chance you’ll ever encounter this GIF hack, given how many variables must fall into just the right place for it to work. Your best option is to be wary of inviting anyone outside of your trusted co-workers to your Teams subdomain, just in case.