File Spoofing functionality

[brandonceja]

In Mr. D0x's article, I learned that it's feasible to spoof both the icon and filename within the Teams client by altering the attributes in the request that transmits file contents. So I added some lines to add this feature to TeamsPhisher by introducing the --spoofile flag. I think this capability holds significant potential for deceiving unsuspecting individuals into clicking malicious files.

[Link to the article: https://mrd0x.com/microsoft-teams-abuse/]

BTW taking advantage of the communication, I would like to congratulate you for the creation of this awesome tool ;)

[Octoberfest7]

Nice work. I have a lot on my plate currently so it may be a couple weeks until I get around to this.

[er4z0r]

@brandonceja is this still working?

[er4z0r]

So to answer my own question: Yes. Spoofing the extension still works, BUT seem to be some caveats:

• if you use this for something like mydocument.pdf.exe, Teams will show it as mydocument.pdf.pdf so your success depends on the user not getting suspicious. (This is something that can be changed by using find instead of rfind in Brandon's code
• only the windows client seems to be susceptible to the Spoof. The latest version for Android shows the full filename (i.e., mydocument.pdf.exe)