Vulnerability makes Microsoft Teams vulnerable to fraud

A recently discovered vulnerability in Microsoft Teams allows attackers, among other things, to cheat companies out of telephony charges. Administrators can – and should – take targeted protective measures.


With the appropriate license and a certified Enterprise Session Border Controller, i.e. a security and control component for VoIP networks, Microsoft Teams includes integration into the public telephone network. The Mediant product range from the manufacturer AudioCodes is often used as an Enterprise Session Border Controller (E-SBC). With it, IT security consultant Moritz Abrell from SySS was recently able to discover a vulnerability in Microsoft Teams’ direct routing telephony integration, which can be traced back to insufficient authentication methods.

If attackers exploit this vulnerability, they can incur high charges on behalf of the affected company by dialing value-added numbers or international calls. However, by simulating other source phone numbers, the vulnerability could also facilitate phishing attacks.


Technical background

If a call is to be made with an external number, the software sends the call to the E-SBC via a previously configured SIP trunk. This checks the incoming call using a so-called classification and forwards it according to the configured call routing rules. It should actually be ensured that only calls from trustworthy sources are accepted and forwarded. According to Abrell, the manufacturer initially only recommended that the target FQDN in the SIP request match that of the SBC and that the SIP contact header should contain “”. However, by checking the common name or subject alternative name attribute of the SBC’s certificate via tools such as OpenSSL, attackers can easily obtain this information. With a self-signed certificate and the correct setting of header data, Moritz Abrell managed to present himself as a valid SIP request from MS Teams. The IT security consultant was then able to make external telephone calls.

In the Responsible Disclosure procedure, the manufacturer has added an IP filter for the source IP addresses of MS Teams to its security recommendations to classify calls before they are forwarded to the respective telephony provider. However, the recommendation contained the large IPv4 address block from AWS, which also contains many other software in addition to teams.

There was also a recommendation for bidirectional TLS authentication of the SIP messages. However, the SBC must trust two root CAs: DigiCert Global Root G2 and Baltimore CyberTrust Root. Showing a certificate for any FQDN from these certification authorities is already sufficient. The vulnerability could still be exploited if the attackers can show a certificate for domains under their own control from one of the root CAs mentioned. A filter for certificates with FQDNs from MS teams in the CN or SAN attribute would be better here – but that would not be possible with all products. Another possibility would be a dedicated CA.

According to the manufacturer’s recommendation, further security should bring filters to certain source numbers. However, source numbers can often be read from websites or public telephone directories. Following the Responsible Disclosure, AudioCodes added a tightened incoming firewall rule for the E-SBC for SIP and the IPv4 address blocks and to its security recommendations.


Recommendations for teams admins

You can use the following countermeasures to protect your own infrastructure from the vulnerability:

  • Incoming restrictive IP filters on IP address blocks & for SIP communication with Teams Direct Routing
  • Use of mutual TLS authentication
  • Filter on the Subject Alternative Name in the certificate
  • Restrictive assignment of rights for calls to premium rate and international numbers
  • Limit maximum call duration
  • Perform source phone number validation
  • Evaluate logs regularly for anomalies – Vulnerability makes Microsoft Teams vulnerable to fraud

Sources: Moritz Abrell & SysS Tech Blog