[-] Error sending message + attachment to user: 500

[LaRancion]

Hi, I just fixed this ( error [-] Error sending message + attachment to user: 500 ) by writing again the message on the message.txt file that I originally created. Could it be that the error was about wrong formatting of the message on my side or its something more random and not user related?

just to know because as I said it seems fixed as of now

PS: i tried using something that JSON cant format like " or \ and the error given back was 400 => the right one btw :)

[Octoberfest7]

Hi, thanks for report.

Without more info/seeing the actual content of the response from the server it is hard to say what exactly it didn't like. I certainly don't know a ton about web API related things and I totally believe that there are some limitations with the tool currently regarding special characters in the message; it's just something that didn't come up during my testing.

[LaRancion]

yea same conclusion, anyway rewriting the message seems to have fixed it, just in case anyone comes up with the same error

[jsarkisian]

Having what I think is a similar issue...

When I use the following command to run in preview mode:

python3 teamsphisher.py -u helpdesk@redacted.com -p 'REDACTED' -m "Hello! It's Test time" --preview --personalize -a test.txt -e jim@redacted.com

I get the following error after the sender authenticates:

Any idea what could be going on here? The sender's display name is "Help Desk" and is definitely configured via Azure portal.

[Octoberfest7]

Having what I think is a similar issue...

When I use the following command to run in preview mode:

python3 teamsphisher.py -u helpdesk@redacted.com -p 'REDACTED' -m "Hello! It's Test time" --preview --personalize -a test.txt -e jim@redacted.com

I get the following error after the sender authenticates:

Any idea what could be going on here? The sender's display name is "Help Desk" and is definitely configured via Azure portal.

Did you have the latest commit when you ran into this issue? I approved a pull request ~3 hours ago that addressed what I think might have been your issue; if there are lots of users in your sender's tenant, the original code didn't handle having to follow redirects in order to see the next "page" of users, so it would error out and not be able to find the senders info if the sending user wasnt on the first page of results

[jsarkisian]

Yes I just did a git pull and reran, same issue

[Octoberfest7]

At line 196 edit the code like this:

From:

    if response.status_code != 200:
        p_err("Could not retrieve senders userID!", True)

To:

    if response.status_code != 200:
        print("Response code: " + str(response.status_code))
        print("Headers: " + str(response.headers))
        print("Body: " + response.body)
        p_err("Could not retrieve senders userID!", True)

And see what that says

[jsarkisian]

Tried that, same issue unfortunately with same error.

[Octoberfest7]

You added the print lines? What was the output/response to the request?

[jsarkisian]

Yes print lines are there. That was the only output. Essentially the same output as the screenshot I shared above when I opened the issue.

[Octoberfest7]

I'm sorry, I had you add the print lines to the wrong request. You need to edit the following at line 212 in the latest commit.

From:

        if response.status_code != 200:
            p_err("Could not retrieve senders display name!", True)

To

        if response.status_code != 200:
            print("Response code: " + str(response.status_code))
            print("Headers: " + str(response.headers))
            print("Body: " + response.body)
            p_err("Could not retrieve senders display name!", True)

[jsarkisian]

Gotcha, response is:

Fetching Skype token.......................................................[+] SUCCESS!
Fetching sender info.......................................................Response code: 403
Headers: {'Cache-Control': 'no-cache, no-store', 'Transfer-Encoding': 'chunked', 'Content-Type': 'application/json; charset=utf-8', 'Content-Encoding': 'gzip', 'Vary': 'Accept-Encoding', 'Access-Control-Expose-Headers': 'X-ServerRequestId', 'X-ServerRequestId': 'AC55EE708204441F8099A072F580AF55', 'X-MachineName': 'mtsvc000009', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'X-Cache': 'CONFIG_NOCACHE', 'X-MSEdge-Ref': 'Ref A: AC55EE708204441F8099A072F580AF55 Ref B: BOS321000101049 Ref C: 2023-07-05T23:19:55Z', 'Date': 'Wed, 05 Jul 2023 23:19:56 GMT'}
Traceback (most recent call last):
  File "/root/tools/TeamsPhisher/teamsphisher.py", line 665, in <module>
    bToken, skypeToken, sharepointToken, senderInfo = authenticate(args)
                                                      ^^^^^^^^^^^^^^^^^^
  File "/root/tools/TeamsPhisher/teamsphisher.py", line 245, in authenticate
    senderInfo = getSenderInfo(bToken)
                 ^^^^^^^^^^^^^^^^^^^^^
  File "/root/tools/TeamsPhisher/teamsphisher.py", line 215, in getSenderInfo
    print("Body: " + response.body)
                     ^^^^^^^^^^^^^
AttributeError: 'Response' object has no attribute 'body'

[Octoberfest7]

Hey drop me a DM on discord at octoberfest (Octoberfest#0860) or on Twitter @Octoberfest73

[ydy4]

Hey, so I'm having the same issue, if you were able to solve it please let me know

[maxferrario-msf]

Hi, I have the same issue. I added line 433 from

    if content.status_code != 201:
        p_warn("Error sending message + attachment to user: %d" % (content.status_code))
        return False

to

    if content.status_code != 201:
        p_warn("Error sending message + attachment to user: %d" % (content.status_code))
        print("Response code: " + str(content.status_code))
        print("Headers: " + str(content.headers))
    print("Response text: " + str(content.text))
        return False

and the output is this:

Response code: 500 Headers: {'Content-Length': '106', 'Content-Type': 'application/json; charset=utf-8', 'Date': 'Thu, 06 Jul 2023 13:24:25 GMT', 'Server': 'Kestrel', 'Access-Control-Allow-Credentials': 'true', 'Access-Control-Allow-Origin': 'https://teams.microsoft.com', 'Access-Control-Expose-Headers': 'ContextId,ContextId', 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'MS-CV': 'gnpRoSl8tESAi7fM12nzLw.0', 'ContextId': 'tcid=0,server=msgapi-production-eus-azsc5-2-127,cv=gnpRoSl8tESAi7fM12nzLw.0', 'x-ms-latency': '16.1973'} Response text: {"errorCode":500,"standardizedError":{"errorCode":500,"errorSubCode":1,"errorDescription":"Server Error"}}

[LaRancion]

@maxferrario-msf server side error are a headache, have you tried changing the message, restarting the pc/vm to clear the memory. i think like retrying is the only way to solve this

[maxferrario-msf]

Hi @LaRancion, you were right: the error disappeared when I changed the message file.

[LaRancion]

weird af, do you remember the message that you used? did it have any particular typo that might have caused the error?

[Octoberfest7]

I have talked to someone who had issues using alternate character sets. They had a message containing "the German character ö" and once they removed that it worked fine.

[maxferrario-msf]

Accented characters are causing the issue: I've only attached TXT files (I'm just testing the tool) and an attachment with è / ò characters triggers the error.

[Octoberfest7]

You have referenced both message file and attachment, which specifically?

Is it the file you use with -a or -m?

[maxferrario-msf]

Only -m, I caa attach (-a) a file with those characters without triggering the error.

[Octoberfest7]

Ok I'm looking into this issue now that I can replicate it

[Octoberfest7]

I believe this is an encoding issue; I am able to send the 'ö' character via the Teams gui or by editing a request in Burp without issue, but trying to do it via Python is resulting in the 500 response.

[Octoberfest7]

The issues concerning special characters should be resolved as of 22b521a. Pull and give it a shot

[maxferrario-msf]

HI @Octoberfest7 , I've pulled the latest version (1.1) and now I always get an "[-] Error uploading file: 404", whatever the file I use as attachment.

[Octoberfest7]

Look at and try using the -s switch to specify your SharePoint site name manually

[maxferrario-msf]

Nope, same result.

Fetching Bearer token for Teams............................................[+] SUCCESS!
Fetching Skype token.......................................................[+] SUCCESS!
Fetching sender info.......................................................[+] SUCCESS!
Fetching Bearer token for SharePoint.......................................[+] SUCCESS!
Uploading file: empty.txt..................................................
Request Headers: {'Authorization': 'Bearer '[REDACTED]', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)', 'Content-Type': 'application/octet-stream', 'Origin': 'https://teams.microsoft.com', 'Referer': 'https://teams.microsoft.com/'}
Response Code: 404
Response Headers: {'Cache-Control': 'private', 'Content-Type': 'text/plain; charset=utf-8', 'Server': 'Microsoft-IIS/10.0', 'X-NetworkStatistics': '0,64256,0,0,222,0,22888', 'Access-Control-Allow-Origin': '*', 'Access-Control-Max-Age': '2592000', 'Access-Control-Expose-Headers': 'Accept-Ranges, Content-Encoding, Content-Length, Content-Type, Content-Version, CTag, ETag, Location, spclientservicerequestduration, SPRequestDuration, SPRequestGuid, Timing-Allow-Origin, Transfer-Encoding, WWW-Authenticate, X-Fluid-Epoch, X-Fluid-Retries, X-Fluid-SLTelemetry, X-Fluid-Telemetry, X-MoveState, x-ms-diagnostics', 'X-DataBoundary': 'EU', 'X-1DSCollectorUrl': 'https://eu-mobile.events.data.microsoft.com/OneCollector/1.0/', 'X-AriaCollectorURL': 'https://eu-mobile.events.data.microsoft.com/Collector/3.0', 'SPRequestGuid': '201cc4a0-1055-6000-c770-14b36add9736', 'request-id': '201cc4a0-1055-6000-c770-14b36add9736', 'MS-CV': 'oMQcIFUQAGDHcBSzat2XNg.0', 'Report-To': '{"group":"network-errors","max_age":7200,"endpoints":[{"url":"https://spo.nel.measure.office.net/api/report?tenantId=00000000-0000-0000-0000-000000000000&destinationEndpoint=188857&frontEnd=FarmDirect"}]}', 'NEL': '{"report_to":"network-errors","max_age":7200,"success_fraction":0.001,"failure_fraction":1.0}', 'Strict-Transport-Security': 'max-age=31536000', 'X-FRAME-OPTIONS': 'SAMEORIGIN', 'Content-Security-Policy': "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;", 'SPRequestDuration': '41', 'SPIisLatency': '2', 'X-Powered-By': 'ASP.NET', 'MicrosoftSharePointTeamServices': '16.0.0.23821', 'X-Content-Type-Options': 'nosniff', 'X-MS-InvokeApp': '1; RequireReadOnly', 'P3P': 'CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"', 'Date': 'Fri, 07 Jul 2023 09:00:52 GMT', 'Content-Length': '18'}
Response Text: 404 FILE NOT FOUND

[LaRancion]

just tried v1.1 and everything works for me, i just changed the paths of the files as i had a different directory

[maxferrario-msf]

In my case this is due to the fact that the user name contains a dot, an the url on line 335 if not right: the dot should be replaced by an underscore, as far as I can tell from the OneDrive's URL of that user.

[Octoberfest7]

In my case this is due to the fact that the user name contains a dot, an the url on line 335 if not right: the dot should be replaced by an underscore, as far as I can tell from the OneDrive's URL of that user.

Interesting... v1.1 included a change specifically to leave usernames with a '.' as from working with another user i thought that needed to be the case. I'll check it out here today

[maxferrario-msf]

Not sure this is a "rule", but in my case the OneDrive URL of the user firstname.lastname@domain.onmicrosoft.com is https://domain-my.sharepoint.com/personal/firstname_lastname_domain_onmicrosoft_com/

[Octoberfest7]

I just pushed v1.1.1 as c5fb827 that reverted this change and should assemble that uri correctly. I created a test.user account and validated that it worked on my end. Let me know

[maxferrario-msf]

Yep, it's working for me too. Thanks for the hard work, @Octoberfest7