GIFs in Microsoft Teams not just annoying, actively dangerous

hacker with mask typing
(Image credit: Twitter)

Almost every workplace chat has that one person who considers themselves a bit of a GIF lord. If you're lucky, your workplace may actually have one. Someone who nails the perfect response GIF every time, brightening your day and the days of all others in the channel. More likely you have someone who replies to everything with weird unpleasant GIFs and considers it their life's crusade to police the pronunciation of the format.

Well regardless of legendary status, it's time to cast a wary glare over those GIF happy coworkers. Bleeping Computer tells of an exploit in Microsoft Teams that uses GIFs to potentially install malicious files, perform commands, and even extract data via these fun moving images. Yeah that random and completely out of place reaction GIF Blimothy posted last week doesn't seem so innocuous now, does it.

Thankfully there are a few steps to the process. First of all the intended target needs to install a stager to execute the commands given via these naughty GIFs. Given phishing attacks are still successful in this, the year of our GIF lord 2022, it's not that unlikely. Especially considering these likely come from a trusted in work source, it's likely an innocent and easy mistake to make. 

From here that stager will run continuous scans on the Microsoft Team logs file, looking for any evil GIFs. These GIFs will have been given a reverse shell by the attackers. This will contain base64 encoded commands which are stored in Team's GIFs, that then perform malicious actions on the target machine. You can find out more about how these GIFShell attacks work via the discover, Bobby Rauch's, Medium page. 

Perfect peripherals

(Image credit: Colorwave)

Best gaming mouse: the top rodents for gaming
Best gaming keyboard: your PC's best friend...
Best gaming headset: don't ignore in-game audio

Once the GIF is received, it's stored in the chat log which is then scanned by the stager. Seeing the crafted GIF it will then extract that base64 code and execute and extract the text. This text will point back to a remote GIF which is embedded in Teams Survey cards. Due to how these works, it then will connect back to the attacker to retrieve the GIF, allowing the attackers to decode the file and gain access to further attacks.

Essentially this takes a bunch of different available exploits in Teams to work, so hopefully a fix should be coming from Microsoft soon. A change to where Teamlogs are stored or how the program retrieves GIFs would likely be enough to throw a spanner in the works of any evildoers. For now, at least you have an actual reason to tell someone off for using weird GIFs.

Hope Corrigan
Hardware Writer

Hope’s been writing about games for about a decade, starting out way back when on the Australian Nintendo fan site Since then, she’s talked far too much about games and tech for publications such as Techlife, Byteside, IGN, and GameSpot. Of course there’s also here at PC Gamer, where she gets to indulge her inner hardware nerd with news and reviews. You can usually find Hope fawning over some art, tech, or likely a wonderful combination of them both and where relevant she’ll share them with you here. When she’s not writing about the amazing creations of others, she’s working on what she hopes will one day be her own. You can find her fictional chill out ambient far future sci-fi radio show/album/listening experience podcast right here. No, she’s not kidding.