Hi, I just fixed this ( error [-] Error sending message + attachment to user: 500 ) by writing again the message on the message.txt file that I originally created.
Could it be that the error was about wrong formatting of the message on my side or its something more random and not user related?

just to know because as I said it seems fixed as of now

PS: i tried using something that JSON cant format like " or \ and the error given back was 400 => the right one btw :)

Hi, first thanks for this tool,

I have an issus for sending messages :

[-] Error fetching sharing link: 400
{"error":{"code":"-21, System.InvalidOperationException","message":{"lang":"fr-FR","value":"Operation is not valid due to the current state of the object."}}}

I guess it's because my system is in French but I don't know why, I have switch my office 365 in english. Do you know how can I resolve that ?

Thanks

Why does this line contain references to your sharepoint? This message is sent to victims and contains our sharepoint but also sends your sharepoint URL.

After preceding success, the file upload fails with 404.

First of all, thanks for the tool
I get this error when trying to send the message:
.[-] Error fetching sharing link: 500
{"error":{"code":"-1, System.Text.DecoderFallbackException","message":{"lang":"es-ES","value":"Unable to translate bytes [ED] at index 460 from specified code page to Unicode."}}}

Hello,

The bug of the upload was supposed to be fixed but i have still the 401 error and i don't understand why.

Hello,

nice work. But I think you need a different url for a non-english tenant.

In a german tenant, for example "Microsoft Teams Chatfiles" does not exist, but "Microsoft Teams Chatdateien" exists.

Maybe you can add an option to specify this, if you find some time.

Also the user domain part from a specified sharepoint server can be different too :

senderDrive = "%s_%s_onmicrosoft_com"

Best regards
mbst83r

add &top=999 parameter to increase the page size for user list retrieval

url += f"?skipToken={skipToken}"

to

url += f"?skipToken={skipToken}&top=999"

I got this error below:
Reading target email list..................................................[+] SUCCESS!
Fetching Bearer token for Teams............................................[-] AADSTS50034: The user account {EmailHidden} does not exist in the 667d9ece-a83f-49d2-9b96-722ed643c25f directory. To sign into this application, the account must be added to the directory.
Trace ID: 05cb4c6d-1567-46da-b272-a069972a4c00
Correlation ID: f0566341-6b34-46d9-a8da-7f83e7817bac
Timestamp: 2023-07-07 02:51:50Z
How can I be successful on authenticating my login account?

Hi,

tried it today and got Errors:
error.txt

am I doing anything wrong?

I have reported to Microsoft a vulnerability to bypass restrictions on "Anyone with the link". They see it as a feature, not a bug. It would be nice to integrate this "feature" into this project.

First of all thank you for the tool!

I am testing your tool however it fails to upload file on SharePoint! I made sure my user has the full control rights to upload file on SharePoint however keeps failing! Any insight of how can I fix it?

`Operational mode: Sending phishing messages to targets!

Time left to abort: 00

Authenticating, verifying files, and uploading attachment

Reading target email list..................................................[+] SUCCESS!
Fetching Bearer token for Teams............................................[+] SUCCESS!
Fetching Skype token.......................................................[+] SUCCESS!
Fetching sender info.......................................................[+] SUCCESS!
Fetching Bearer token for SharePoint.......................................[+] SUCCESS!
Uploading file: .\README.MD................................................[-] Error uploading file: 401`

Fetching Bearer token for Teams............................................[-] AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

Is there anything that I can do/check on this or is it secured?

Looks like the splash screen bypass has once again been patched by Microsoft reducing the effectiveness of TeamsPhisher.

Now when you remove the victim from the group they are only able to preview the message and the button for clicking through the splash screen is greyed out.

Given reliance is once again on the user to click through the splash screen and they can't be removed - I do wonder if its better to revert TeamsPhisher back to just messaging a user without adding them to a group at all.

When running the tool, I can successfully authenticate my device, however when the tool gathers the SharePoint bearer token it seems to be adding in a space between the first part of the URL. i.e. my domain is fredbloggs.com, and when getting the token the error shows https://fred bloggs-my.sharepoint.com

Not sure what is causing this though. Any ideas?

OS: Ubuntu 22
Python 3.10.6

Authenticating, verifying files, and uploading attachment

Reading target email list..................................................[+] SUCCESS!
Fetching Bearer token for Teams............................................Traceback (most recent call last):
  File "/home/user/TeamsPhisher/teamsphisher.py", line 688, in <module>
    bToken, skypeToken, sharepointToken, senderInfo = authenticate(args)
  File "/home/user/TeamsPhisher/teamsphisher.py", line 247, in authenticate
    bToken = getBearerToken(args.username, args.password, 'https://api.spaces.skype.com/.default')
  File "/home/user/TeamsPhisher/teamsphisher.py", line 144, in getBearerToken
    result = app.acquire_token_by_username_password(username, password, scopes=[scope])
  File "/home/user/.local/lib/python3.10/site-packages/msal/application.py", line 1610, in acquire_token_by_username_password
    response = _clean_up(self._acquire_token_by_username_password_federated(
  File "/home/user/.local/lib/python3.10/site-packages/msal/application.py", line 1637, in _acquire_token_by_username_password_federated
    wstrust_result = wst_send_request(
  File "/home/user/.local/lib/python3.10/site-packages/msal/wstrust_request.py", line 60, in send_request
    return parse_response(resp.text)
  File "/home/user/.local/lib/python3.10/site-packages/msal/wstrust_response.py", line 48, in parse_response
    error = parse_error(body)
  File "/home/user/.local/lib/python3.10/site-packages/msal/wstrust_response.py", line 52, in parse_error
    dom = ET.fromstring(body)
  File "/usr/lib/python3.10/xml/etree/ElementTree.py", line 1343, in XML
    return parser.close()
xml.etree.ElementTree.ParseError: no element found: line 1, column 0

I do have masl installed

user@dumpster:~/TeamsPhisher$ pip3 install msal
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: msal in /home/user/.local/lib/python3.10/site-packages (1.22.0)
Requirement already satisfied: PyJWT[crypto]<3,>=1.0.0 in /home/user/.local/lib/python3.10/site-packages (from msal) (2.7.0)
Requirement already satisfied: cryptography<43,>=0.6 in /home/user/.local/lib/python3.10/site-packages (from msal) (39.0.2)
Requirement already satisfied: requests<3,>=2.0.0 in /home/user/.local/lib/python3.10/site-packages (from msal) (2.26.0)
Requirement already satisfied: cffi>=1.12 in /home/user/.local/lib/python3.10/site-packages (from cryptography<43,>=0.6->msal) (1.15.1)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in /usr/lib/python3/dist-packages (from requests<3,>=2.0.0->msal) (1.26.5)
Requirement already satisfied: idna<4,>=2.5 in /usr/lib/python3/dist-packages (from requests<3,>=2.0.0->msal) (3.3)
Requirement already satisfied: charset-normalizer~=2.0.0 in /home/user/.local/lib/python3.10/site-packages (from requests<3,>=2.0.0->msal) (2.0.12)
Requirement already satisfied: certifi>=2017.4.17 in /usr/lib/python3/dist-packages (from requests<3,>=2.0.0->msal) (2020.6.20)
Requirement already satisfied: pycparser in /home/user/.local/lib/python3.10/site-packages (from cffi>=1.12->cryptography<43,>=0.6->msal) (2.21)

Hi i am having issues with file uploading
here is the log

[+] Try to personalize greeting by using targets first name
[-] Sending file link that is accessible by anyone with the link
[-] No delay between messages
[+] Using greeting: Hi, --personalize greeting: Hi ,
[+] Logging TeamsPhisher output at: /root/10-26_06Jul23_teamsphisher.log

Operational mode: Sending phishing messages to targets!

Authenticating, verifying files, and uploading attachment

Fetching Bearer token for Teams............................................[+] SUCCESS!
Fetching Skype token.......................................................[+] SUCCESS!
Fetching sender info.......................................................[+] SUCCESS!
Fetching Bearer token for SharePoint.......................................[+] SUCCESS!
Uploading file: test.txt...................................................[-] Error uploading file: 404

.

So I'm trying to replicate what the tool does manually to fully understand what's behind it, also with the help of the articles linked

What I'm trying to do is to add the attachment after sending the message with burp suite.

What's not clear to me is how you came up with the crafting of the body especially the file part in the properties.

On my side I inserted a print to retrieve the body from Teamphisher so I can reuse it on burp
Then I inserted the file part in my intercepted part on burp but as you might guess it's not working and I think I'm doing something wrong

Let me know if you want more info or u want me to reach u privately

It appears that all the previous steps are successful however, when the file is being uploaded I'm seeing this message "Name or service not known" I'm assuming it is unable to resolve the tenant name? The machine is configured with a proper DNS so I wonder why I'm seeing the below message:

`[+] SUCCESS!
Uploading file: /root/test/text.txt........................................Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 159, in _new_conn
conn = connection.create_connection(
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 61, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 996, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 314, in connect
conn = self._new_conn()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 171, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f475bdea4f0>: Failed to establish a new connection: [Errno -2] Name or service not known`

Always get the following error message. Tried multiple tenants, any idea?

Fetching Bearer token for Teams............................................�[31m[-]
AADSTS50034: The user account {EmailHidden} does not exist in the 03ba08ac-c27d-4d87-8d6b-6f3e22c9aXXX directory. To sign into this application, the account must be added to the directory.
Trace ID: 3aad7c3f-3d6f-4477-801e-ce719deb5XXX
Correlation ID: 813571dc-e6fb-427c-8f53-8179de047XXX

Does the TeamsPhisher still bypass the "Someone outside your organization messaged you, are you sure you want to view it" splash screen? When I test the TeamsPhisher, I always get the splash screen as a warning

I think you can skip the whole looping over users (lines 208-230):

url = f"https://teams.microsoft.com/api/mt/emea/beta/users/{userID}"
response = requests.get(url, headers=headers)
senderInfo = json.loads(response.text)['value']

On Windows 11.
Used the --log switch (I can't chose a name, I believe by design).
It attempts to create a file:

[+] Logging TeamsPhisher output at: C:\Users\MYUSERNAME/13:11_06Jul23_teamsphisher.log

All that is created is an empty file called "13" - in the correct location. This is just before the illegal character ":"