Your Whole Company’s Microsoft Teams Data Could’ve Been Stolen With An ‘Evil GIF’

Amidst the coronavirus pandemic, tech companies have been in a constant fight to become the most used video conferencing tool. 

Zoom, which upped its user count rapidly in the beginning, crashed after privacy issues were detected. Microsoft on Monday revealed that security issues were also detected by its collaboration and videoconferencing tool Teams.

Cybersecurity experts warned that an evil GIF was capable and could have stolen data from Microsoft Teams accounts from February end till mid-March. They added that the GIF could have gained access to take control of “an organization’s entire roster of Teams accounts.”

However, Microsoft further emphasized that the loophole was mended on 20 April. The company assured that users were safe from any security threat.

What is Microsoft’s “Evil GIF”?

All the Microsoft Team’s desktop and web browser versions were infected by the virus. The problem was within Miscorosoft’s authentication of tokens that allow users to view images in Teams. The tokens are like files which are evidence that a verified user is accessing the account on Teams. The tokens are maintained by Microsoft’s server located at It can also be handled by any subdomain under the address.  

According to CyberArk findings, two sub-domains, and, could have been hijacked in the attack.

They further found that if the attackers could make a target visit the infected sub-domains, the tokens of authentication could be moved to the hacker’s server. Following this, the hackers could create the “skype” token. This token allows the attacker to steal the account data of the victim.

The easiest way to redirect a victim towards an infected subdomain is by a phishing attack. This can be done by sending an interesting that the victim would want to open.

The CuberArk experts considered this trick obvious and concluded that the hackers created a Donald Duck GIF. On viewing the GIF, the victim’s Team account would be forced to surrender their token of authentication and eventually their data.