I am a pentester and red teamer at work, and an ethical hacker, blogger, gamer and pseudo-developer outside of work. Sometimes I’m a slacker at work too, but I prefer to call it ‘professional’ – meaning I automate my tasks. If there are no red team activities planned for Friday, I don’t do anything myself because, as we all know, Fridays at work are a bit different. Everyone is thinking about the weekend, not the red teamer dumping work or alerts on SIEM. As a pentester and red teamer, people generally don’t like you, especially when this position is new to the company, because you add to their workload and show in your reports that they are doing their job poorly.
Over time, as awareness of this role grows, you become the best friend of IT people and application developers because you help them to create a secure environment by pointing out where the problem lies and giving tips on how to fix security-related bugs. Everyone is happy with the report, which proves that people are testing what they implement. Over time, when they retest, the report no longer glows red, but contains informational additions that may be worth considering for implementation to improve things further. Then everyone smiles.
Unfortunately, as a Red Teamer, the Blue Team will always dislike you. The Red Team has two objectives: one is Red Team vs. Blue Team, but not as a competition; rather, it is to check what we detect and what we don’t. In other words, it is to test the Blue Team’s response to alerts, or to simulate an attack in order to check whether alerts will appear at all. In other words, it is to check whether the organisation is prepared for this type of threat and whether the detection/response mechanisms will work. The second goal is to perform adversary emulation, which involves providing Blue Team/SOC training in conditions that closely resemble a real attack. It also involves checking whether we can catch and remove an attackers before they can cause any further damage. In general, detection and blocking are failures for the Red Teamer in both tasks. Sometimes these tasks are carried out as planned global actions where certain people are in on the secret, and sometimes only the manager of the offensive security department knows about them. This annoys the Blue Team the most. Of course, there is also purple teaming, where both teams collaborate to enhance detection and response capabilities.
I, and probably many other red teamers, irritate our colleagues at work even more sometimes, but I suppose it’s just my mischievous nature coming out, coming up with all sorts of silly ideas. One of these ideas is annoying my colleagues by spamming them with reactions in Microsoft Teams.
Yes, a week ago I discovered by accident that Microsoft had added the ability to react to posts multiple times on Teams channels and chats. I don’t know why they did it, and it’s probably not necessary for most people, at least in a business environment. Discord has this feature too, and sometimes people add more reactions in the form of captions. But I immediately thought: ‘I’ll quickly press it a dozen times and see where the limit is, how fast I can do it to make the sound on my phone or desktop annoying, and whether I can automate it to spam others.’ Yes, I know it’s stupid, and I don’t know who needs it, but I did it.
The best thing is that you can’t turn it off in MS Teams, there is no option to disable multi-reactions or limit the number of them.
You can check this Microsoft learn platform post. One guy called it a pointless feature there. I disagree! Normally, I would say I wrote Microsoft Teams Emoji Spammer, but professionally, we can call it MS Teams Bring Attention Tool. Because at the right speed of adding 18 reactions to a post, it makes your phone and computer annoying, almost as if you were an influencer with a million followers reacting to your sweet photos on Instagram.
Well, I checked it out, and I could use PowerShell and MS Graph for that.
Reactions in Teams are displayed in Microsoft Graph as setReaction/unsetReaction actions on the chatMessage object. In PowerShell, this can be handled by the Microsoft Graph PowerShell SDK (ready-made cmdlets such as Set-Mg*, MessageReaction) or the universal Invoke-MgGraphRequest.
Unfortunately, when I started writing the script, it turned out that there are certain requirements, namely access to Microsoft Graph (delegated).
Reactions are not supported in application permissions (daemon without a user). The context of the logged-in user (delegated) is required.
Minimum scopes:
- For channels (Teams):
ChannelMessage.Send - For chats (1:1/group):
Chat.ReadWriteandChatMessage.Send
The administrator must grant consent to these scopes. More info on chatMessage: setReaction.
Target identifiers such as teamId, channelId, messageId (and possibly replyId for threads), or chatId + messageId for chats. They can be retrieved with Graph (e.g., Get-MgTeam, Get-MgTeamChannel, Get-MgTeamChannelMessage, Get-MgChatMessage). Again more info on Using Get-MgTeamChannelMessage in Graph PowerShell. You can also find these identifiers by copying links to specific messages - “Copy link to message” - they are included in the URL.
Module: Microsoft.Graph/Microsoft.Graph.Teams (there are ready-made cmdlets Set-MgTeamChannelMessageReaction, Set-MgChatMessageReaction, etc.). If necessary, Invoke-MgGraphRequest should work too.
Unfortunately, I don’t have the necessary permissions, so it could potentially look like this for channels:
1 |
|
REST version
1 | foreach ($emoji in $emojis) { |
for chats
1 |
|
REST version
1 | foreach ($emoji in $emojis) { |
It’s just a theory at the moment, but you know what? I already have a list of users in the company with these permissions, so you can probably guess what my next Red Team exercise goal will be.
Of course, I couldn’t resist spamming my co-workers. So, what’s the best thing to do in this situation? Good old AutoHotkey. Since I can do it fairly quickly by hand, maybe an automated tool can do it for me (remember, I’m lazy and like to automate my work).
So I wrote this code. It’s important not to go too fast, otherwise the sounds won’t have time to start. As with any AutoHotkey script, you need to create a shortcut to interrupt the action. Anyone who has used AutoHotkey at least once knows that every mistake causes random clicking everywhere except where you want it to! There is also no limit to the number of emojis you can use in a chat. I used almost 20 in a test. However, there is a limit of about 14 emojis for channels.
Here is the script with comments to help you understand it better. Feel free to tweak it for your needs. It just press shortcut combination to react automatically to messages. It works for me, but in your environment it may need some additional changes.
Quick instruction:
- Run AutoHotkey script
- Select chat message (click on it)
Ctrl+Shift+.- to execute scriptAlt+,- to stop it in case it does something else
- For Teams Channels messages change parameter
ClickBeforeEach:= falsetoClickBeforeEach:= true - Select Teams message (click on it)
Ctrl+Shift+.- to execute scriptAlt+,- to stop it in case it does something else
And here is the script.
1 | ; AutoHotkey v2 — MS Teams emoji reactions spammer |
It was funny for a day, but people got annoyed on the second day and stopped writing to me for fear that I would spam them xD.
Therefore, the two key functions of the script are:
- Calling employees to the computer because something is beeping non-stop.
- Making your workload lighter because people don’t want to write to you for fear of your reactions.
A mass-reaction “spammer” in Teams or chat could be abused as a distraction technique during an attack — flooding users with notification sounds or drawing their attention to the chat while the attacker carries out other malicious actions elsewhere. This makes it a potential element of a social-engineering or diversion attack, even if it looks like a prank on the surface.
Personnel focus on the “funny incident” while the actual attack is taking place elsewhere.
Could it be? Similar things have already been done: Zoombombing.