Hacker could “ultimately take in excess of an organization’s overall roster of Groups accounts”
Microsoft’s collaboration platform Groups contained a vulnerability that authorized hackers to ship out a GIF that only experienced to been noticed, in order for it to ship a worthwhile obtain token back again to a compromised server.
This could then be utilized to escalate an assault until a hacker was in a position to “take in excess of an organisation’s overall roster of Groups accounts.”
The bug, disclosed to Microsoft on March 23, was learned and reported by US-centered account protection business CyberArk, and quietly patched by Redmond a thirty day period later on, on April 20, the protection company stated nowadays.
It associated grabbing API authorisation tokens then leveraging a subdomain takeover vulnerability in Microsoft Groups, in a somewhat intricate but hugely powerful assault for a committed adversary.
Microsoft Groups is a