Microsoft Fixed Impersonation & Spoofing Flaws in Teams

Published Date: November 5, 2025

Category: ShadowOpsIntel

Check Point Research uncovered multiple impersonation and spoofing vulnerabilities in Microsoft Teams. These flaws allow attackers, including external guests and malicious insiders, to manipulate messages, spoof notifications, and forge identities. The successful exploitation of these vulnerabilities fundamentally brake the trust mechanisms within the platform, a critical backbone for over 320 million modern workplace users. Microsoft acknowledged the findings and subsequently issued fixes for the reported issues.

Severity: Moderate

Vulnerability Details

Vulnerability	Mechanism of Exploitation
Manipulating Notifications (CVE-2024-38197)	Altering the imdisplayname parameter in the message payload to make the notification appear to come from any chosen sender, such as a CEO.
Forging Caller Identity	Modifying the displayName parameter within the call initiation JSON payload to present any chosen name to the call recipient.
Altering Display Names in Private Chats	Manipulating a specific PUT endpoint for changing group chat topics to alter the name displayed in a private (one-on-one) conversation.
Editing Messages Without Trace	Crafting a new message and replacing the clientmessageid with the ID from a previous message to bypass the “Edited” label.

Real-World Attack Scenarios

The discovered flaws can facilitate severe malicious activities commonly seen with sophisticated threat actors:

Executive Impersonation and Social Engineering: An attacker can convincingly appear as a C-level executive or a member of the finance department to trick employees.
Malware Delivery: An attacker can send a spoofed notification, seemingly from a trusted executive, asking for urgent action or a link click, which then installs malware.
Credential Harvesting/Fraud: By impersonating an internal figure, attackers can fish for sensitive data, such as budget numbers, to commit financial fraud.
Misinformation Campaigns: The ability to create false message histories and undermine conversation integrity enables the widespread distribution of misinformation.
Briefing Disruption: Impersonating key individuals during sensitive briefings hosted on Teams can spread confusion or trick participants into revealing confidential information.

Recommendations

Ensure Teams desktop, mobile, and web clients are updated with the latest security patches.
Enforce continuous identity, device posture, and session validation – not just at login. Block unauthorized access even from legitimate credentials.
Apply granular guest access restrictions in Microsoft Teams admin settings. Disable or tightly control guest invitations, especially in sensitive projects or executive groups.
Simulate fake messages or calls appearing to be from executives and educate users to verify such interactions via alternative channels.
Enforce out-of-band verification for financial approvals, document sharing, and sensitive data communications. Use phone calls or secured internal apps for validation.

Source:

https://research.checkpoint.com/2025/microsoft-teams-impersonation-and-spoofing-vulnerabilities-exposed/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.