Critical vulnerabilities in Microsoft Teams, a platform central to workplace communication for over 320 million users worldwide, enable attackers to impersonate executives and tamper with messages undetected.
These vulnerabilities, now patched by Microsoft, allowed both external guests and insiders to spoof identities in chats, notifications, and calls, potentially leading to fraud, malware distribution, and misinformation.
Check Point disclosed the issue to Microsoft responsibly in March 2024. The issues highlight how trust in collaboration tools can be weaponized by sophisticated threat actors targeting remote work infrastructure.
Launched in 2017 as part of Microsoft 365, Teams integrates chat, video calls, file sharing, and apps, making it indispensable for businesses from startups to Fortune 500 companies.
Check Point’s investigation focused on the web version’s JSON-based architecture, where messages include parameters like content, messagetype, clientmessageid, and imdisplayname.
Attackers exploited these to edit messages without the “Edited” label by reusing clientmessageids, effectively rewriting history without traces.
Notifications could be manipulated by altering imdisplayname, making alerts appear from high-level executives like CEOs, exploiting users’ instinctive trust in urgent pings.
In private chats, modifying conversation topics via a PUT endpoint changed display names, misleading participants about the sender’s identity, as shown in before-and-after screenshots of altered interfaces.
Call initiations via POST /api/v2/epconv allowed forging displayName in participant sections, spoofing caller identities during audio or video sessions.
One flaw, notification spoofing, was tracked as CVE-2024-38197, a medium-severity issue (CVSS 6.5) affecting iOS versions up to 6.19.2, where sender fields lacked proper validation.
Microsoft Teams Vulnerability Attack Scenarios
These vulnerabilities erode the core trust in Teams, turning it into a deception vector for advanced persistent threats (APTs), nation-state actors, and cybercriminals.
External guests could infiltrate as insiders, impersonating finance leads to harvest credentials or push malware-laden links disguised as executive directives.
Insiders might disrupt briefings by spoofing calls, spreading confusion in sensitive discussions, or enabling business email compromise (BEC) schemes.
Real risks include financial fraud, where fake CEO notifications prompt wire transfers; privacy breaches from falsified conversations; and espionage via manipulated histories in supply chain attacks.
Threat actors, including groups like Lazarus, have long targeted such platforms for social engineering, as seen in recent reports of Teams abuse in ransomware and data exfiltration.
The ease of chaining these flaws, for instance, spoofing a notification followed by a forged call, amplifies dangers, potentially fooling users into revealing secrets or executing harmful actions.
Check Point disclosed the flaws on March 23, 2024, with Microsoft acknowledging them on March 25 and confirming fixes progressively.
The message editing issue was resolved by May 8, 2024; private chat alterations by July 31; notifications (CVE-2024-38197) by September 13, after an August rollout; and call spoofing by October 2025.
All issues are now addressed across clients, requiring no user action beyond updates. However, organizations should layer defenses: implement zero-trust verification for identities and devices; deploy advanced threat prevention to scan payloads in Teams; enforce data loss prevention (DLP) policies; and train staff on out-of-band validation for high-stakes requests.
Critical thinking remains key to always verifying suspicious communications, even from apparent trusted sources. As collaboration tools evolve, securing human trust is as vital as patching code.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
