Microsoft has quickly fixed a flaw in its Teams videoconferencing and collaboration program that could have allowed attackers to launch a wormlike attack on multiple accounts by sending one victim a malicious GIF image.

Discovered by Israeli security company CyberArk, the underlying weakness is a combination of two issues.

The first concerns the way Teams manages authentication tokens.

Teams can generate a lot of these, depending on what it is accessing (SharePoint, Outlook, for example), which gives the user the right to view content or resources from a Microsoft subdomain accessed during a session.

To simplify, the ability to view an image is defined by two tokens, skypetoken_asm and authtoken, that also control lots of requests a user can make through the Teams API and Skype, such as sending and reading messages, creating groups, adding users and changing permissions.

Importantly, if an attacker could somehow get hold of an authtoken they could generate their own skypetoken. That should be impossible because such tokens are only sent to Microsoft subdomains… which is where the second weakness becomes important.