Microsoft Teams Vulnerabilities Allowing Message and Caller Impersonation
Researchers at Check Point disclosed four critical vulnerabilities in Microsoft Teams that allowed attackers to impersonate executives, alter chat history, and forge notifications or caller identities without detection. These flaws, now patched, enabled manipulation of message content without the usual 'Edited' label, spoofing of alerts to appear from trusted colleagues, and renaming of chats to misrepresent participants. The vulnerabilities exploited Teams' messaging architecture, including the reuse of unique message identifiers and manipulation of hidden conversation parameters, fundamentally undermining the trust in digital communications for over 320 million monthly users.
Microsoft was notified of the issues in March 2024 and addressed them through a series of patches, with the final fix released in October 2025. The vulnerabilities, tracked as CVE-2024-38197 among others, affected both internal users and external guests, posing significant risks of social engineering, data theft, and unauthorized actions. Attackers could trick users into clicking malicious links or sharing sensitive information by making messages and calls appear to originate from high-profile executives or trusted sources, highlighting the importance of prompt patching and ongoing vigilance in collaboration platforms.
Timeline
Nov 4, 2025
Check Point discloses four Microsoft Teams security flaws
In early November 2025, Check Point publicly disclosed four Microsoft Teams vulnerabilities that could let attackers impersonate colleagues or executives, manipulate message content without an 'Edited' label, and spoof notifications or caller identity. The flaws affected scenarios involving external guest users and malicious insiders and raised social-engineering concerns.
Oct 1, 2025
Microsoft ships another Teams patch for remaining issues
An additional patch for the Microsoft Teams flaws was released in October 2025, indicating that remediation continued after the 2024 fixes. The issues included risks such as impersonation, forged identities, and message manipulation.
Sep 1, 2024
Microsoft releases additional Teams fixes
Microsoft issued further patches for the Teams-related flaws in September 2024, expanding remediation beyond the initial August update. These fixes were part of Microsoft's response to the broader set of spoofing and message-manipulation issues.
Aug 1, 2024
Microsoft patches Teams spoofing issue as CVE-2024-38197
Microsoft addressed part of the reported Microsoft Teams impersonation and notification spoofing issues under CVE-2024-38197 in August 2024. The fix covered some of the flaws later described by Check Point.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
1 more from sources like the hacker news
Related Stories
Microsoft Teams Vishing Used to Gain Remote Access and Deploy Malware
Attackers used **Microsoft Teams** to impersonate IT or helpdesk staff and socially engineer employees into granting access or executing malicious actions, turning collaboration tooling and trusted support workflows into the initial access vector. One report describes a compromise at an Italy-based consumer services company where a Teams meeting invite and screen sharing session led the victim to run a staged **PowerShell** chain that deployed **PhantomBackdoor**, a multi-stage **WebSocket-based** backdoor associated with earlier spear-phishing activity. The observed sequence included post-call PowerShell execution, device reconnaissance, and establishment of WebSocket command-and-control. A second report describes a similar **vishing** intrusion in which a threat actor posing as support staff called employees through Teams and, after multiple attempts, convinced one user to grant remote access through **Quick Assist**. The attacker then directed the victim to a spoofed credential-harvesting site, used a malicious **MSI** and sideloaded **DLL** to launch follow-on payloads, and established outbound C2. While the malware families and exact post-compromise chains differ, both accounts document the same operational pattern: **Teams-based social engineering**, abuse of legitimate remote assistance or user-guided execution, credential theft or payload staging, and transition to hands-on intrusion activity inside a corporate environment.
1 months ago
Threat Actors Weaponize Microsoft Teams for Ransomware, Espionage, and Social Engineering
Microsoft has issued warnings about the increasing abuse of Microsoft Teams by both cybercriminals and state-sponsored threat actors for a range of malicious activities, including ransomware deployment, espionage, and social engineering attacks. The collaboration features and widespread adoption of Teams have made it a high-value target, with attackers exploiting its core capabilities such as messaging, calls, meetings, and video-based screen sharing at various stages of the attack chain. Threat actors have been observed conducting reconnaissance by enumerating directory objects and mapping relationships and privileges within Teams environments, often leveraging Microsoft Entra ID identities. Attackers may exploit federation tenant configurations to determine if external communication is permitted, which can be inferred from API responses. Microsoft has responded by strengthening default security through its Secure Future Initiative, but emphasizes that defenders must also utilize customer-facing security controls across identity, endpoints, data, apps, and network layers to harden Teams environments. The company provides detailed guidance for disrupting adversarial objectives, including recommendations for monitoring, detection, and response tailored to the unique risks of Teams. The attack chain often begins with reconnaissance and can progress to lateral movement, data exfiltration, or ransomware deployment, depending on the attacker’s objectives. Social engineering tactics, such as phishing via Teams chat or impersonation during meetings, have been reported as effective vectors for initial access. Microsoft highlights the importance of understanding the multi-tenant and cross-tenant communication features of Teams, which can be abused for lateral movement or to bypass traditional security boundaries. The guidance also addresses the need for robust logging and monitoring to detect suspicious activity, as well as the implementation of least privilege access and strong authentication measures. Organizations are urged to review their Teams configurations, especially regarding guest and external access, to minimize exposure. Microsoft’s recommendations are designed to complement existing security development lifecycle practices and provide actionable steps for enterprise defenders. The company continues to monitor evolving attacker techniques and update its security guidance accordingly. The warnings underscore the critical need for organizations to treat collaboration platforms like Teams as high-value assets requiring dedicated security strategies. By proactively implementing Microsoft’s recommended controls and maintaining vigilance, organizations can reduce the risk of compromise via Teams. The evolving threat landscape demonstrates that attackers are increasingly targeting collaboration tools as entry points into enterprise environments. Microsoft’s ongoing research and public advisories aim to equip defenders with the knowledge and tools necessary to counter these sophisticated threats.
1 months ago
Microsoft Teams Guest Chat Cross-Tenant Security Bypass
A significant security weakness has been identified in Microsoft Teams' guest chat feature, allowing attackers to bypass Defender for Office 365 protections when users accept invitations to external tenants. Security researchers from Ontinue revealed that when a user joins another organization's Teams environment as a guest, the security policies of the hosting tenant apply, not those of the user's home organization. This architectural flaw means that if the external tenant has minimal or no security controls, all advanced protections such as URL scanning, Safe Links, file sandboxing, and Zero-hour Auto Purge are effectively disabled for the guest user. Attackers can exploit this by creating their own Microsoft 365 tenants with security features turned off and inviting targets to collaborate, thereby exposing them to phishing, malware, and other threats without the usual safeguards. The issue is not a software bug but a fundamental limitation of how cross-tenant collaboration is managed in Microsoft Teams. Security experts warn that organizations may have a false sense of security, believing their protections follow users across tenants, when in reality, attackers can easily create "protection-free zones" to deliver malicious content undetected.
1 months ago