Check Point Research uncovered multiple impersonation and spoofing vulnerabilities in Microsoft Teams. These flaws allow attackers, including external guests and malicious insiders, to manipulate messages, spoof notifications, and forge identities. The successful exploitation of these vulnerabilities fundamentally brake the trust mechanisms within the platform, a critical backbone for over 320 million modern workplace users. Microsoft acknowledged the findings and subsequently issued fixes for the reported issues.
Severity: Moderate
Vulnerability Details
| Vulnerability | Mechanism of Exploitation |
| Manipulating Notifications (CVE-2024-38197) | Altering the imdisplayname parameter in the message payload to make the notification appear to come from any chosen sender, such as a CEO. |
| Forging Caller Identity | Modifying the displayName parameter within the call initiation JSON payload to present any chosen name to the call recipient. |
| Altering Display Names in Private Chats | Manipulating a specific PUT endpoint for changing group chat topics to alter the name displayed in a private (one-on-one) conversation. |
| Editing Messages Without Trace | Crafting a new message and replacing the clientmessageid with the ID from a previous message to bypass the “Edited” label. |
Real-World Attack Scenarios
The discovered flaws can facilitate severe malicious activities commonly seen with sophisticated threat actors:
- Executive Impersonation and Social Engineering: An attacker can convincingly appear as a C-level executive or a member of the finance department to trick employees.
- Malware Delivery: An attacker can send a spoofed notification, seemingly from a trusted executive, asking for urgent action or a link click, which then installs malware.
- Credential Harvesting/Fraud: By impersonating an internal figure, attackers can fish for sensitive data, such as budget numbers, to commit financial fraud.
- Misinformation Campaigns: The ability to create false message histories and undermine conversation integrity enables the widespread distribution of misinformation.
- Briefing Disruption: Impersonating key individuals during sensitive briefings hosted on Teams can spread confusion or trick participants into revealing confidential information.
Recommendations
- Ensure Teams desktop, mobile, and web clients are updated with the latest security patches.
- Enforce continuous identity, device posture, and session validation – not just at login. Block unauthorized access even from legitimate credentials.
- Apply granular guest access restrictions in Microsoft Teams admin settings. Disable or tightly control guest invitations, especially in sensitive projects or executive groups.
- Simulate fake messages or calls appearing to be from executives and educate users to verify such interactions via alternative channels.
- Enforce out-of-band verification for financial approvals, document sharing, and sensitive data communications. Use phone calls or secured internal apps for validation.
Source:
- https://research.checkpoint.com/2025/microsoft-teams-impersonation-and-spoofing-vulnerabilities-exposed/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.