Like many chat apps, Teams let colleagues send each other whimsical animated Gif images.
But CyberArk researchers discovered a problem that meant viewing a Gif could let hackers compromise an account and steal data. Microsoft has since patched the security hole, researchers said.
This attack involves using a compromised subdomain to steal security tokens when a user loads an image - but the end-user would just see the Gif sent to them, and nothing else.
"They will never know that he or she has been attacked - making this vulnerability... very dangerous," the team said.
It is a good demonstration of a zero-click attack - no clicking of links, the opening of documents, thus all software should be updated as there are bound to be security flaws occasionally.
Comments