Microsoft Teams Flaws Exposed: Attackers Could Impersonate Executives and Forge Caller Identity

Researchers at Check Point Research (CPR) have disclosed four critical vulnerabilities in Microsoft Teams that could have allowed attackers and malicious insiders to impersonate executives, manipulate messages, spoof notifications, and forge caller identities, fundamentally undermining trust in one of the world’s most widely used collaboration platforms.

According to the report, these flaw “allow attackers to impersonate executives, manipulate messages, alter notifications, and forge identities in video and audio calls.”

These flaws affected both external guest users and internal employees, enabling attackers to subvert Teams’ core identity and messaging controls.

Launched in 2017 and now serving over 320 million monthly active users, Microsoft Teams has become a cornerstone of hybrid and remote work, integrating chat, meetings, and file-sharing across global enterprises. Check Point notes that this ubiquity makes Teams a high-value target for attackers.

CPR’s investigation revealed that adversaries could exploit multiple vulnerabilities to modify messages, spoof senders, and impersonate trusted individuals—even in secure or private communication channels.

Check Point researchers identified four separate but interrelated weaknesses in Teams’ message-handling and notification logic:

1. Edit Messages Without Trace

By manipulating internal message parameters, attackers could edit previously sent messages without triggering the standard “Edited” label, effectively rewriting history.

“We discovered a method to alter the content of sent messages without leaving the usual ‘Edited’ label.”

This silent edit loophole could enable attackers to inject malicious links or alter financial instructions in ongoing conversations.

2. Spoofed Message Notifications

CPR uncovered a flaw in the imdisplayname parameter that controls notification content. By modifying this value, attackers could display fake notifications from high-profile individuals, such as CEOs or CFOs.

“Our research uncovered a technique to change the apparent sender of a message, enabling the display of notifications… from high-profile individuals like CEOs, thus exploiting the trust and urgency typically associated with such communications.”

This vulnerability (later tracked as CVE-2024-38197) could be weaponized for social engineering, business email compromise (BEC), or malware delivery, exploiting the instinctive trust users place in internal alerts.

3. Altering Display Names in Private Chats

Teams allows chat topics to be renamed via an API endpoint. Researchers found that this functionality could also be abused in one-on-one private chats, enabling attackers to relabel the conversation and mislead the target about who they were talking to.

“We identified a vulnerability that allows an attacker to change the displayed name in private chat conversations by modifying the conversation topic… misleading users about the conversation’s context.”

This subtle deception could easily be combined with message spoofing for fraud or credential harvesting.

4. Forged Caller Identity in Audio/Video Calls

Perhaps the most alarming finding was Teams’ failure to properly validate caller display names during call initiation.

“We discovered that the display name used in call notifications (and later on during the call itself) could be arbitrarily modified through specific manipulations of call initiation requests.”

This allowed attackers to forge caller identities, making it appear as if a video or audio call was coming from a legitimate executive or department. CPR demonstrated that by altering a JSON payload’s displayName parameter, a call could appear to originate from “any chosen name.”

CPR warned that these flaws could enable a wide range of targeted social engineering and espionage operations, including:

• Executive Impersonation and Fraud: “A malicious guest user could impersonate someone internal, such as a finance department member. Notifications can be spoofed to display a false sender name, preying on the instinct to trust official-looking notifications.”
• Malware Delivery: Fake Teams messages or calls could appear to come from executives urging employees to open malicious attachments or click phishing links.
• Credential Harvesting: Attackers could pose as internal staff, particularly in finance or IT, to solicit passwords or access tokens.
• Misinformation Campaigns: The ability to alter message history or forge conversations could be weaponized to spread disinformation or damage reputations.
• Briefing Disruption: “The ability to impersonate individuals during sensitive briefings hosted on Teams can spread confusion or trick participants into revealing sensitive information.”

Check Point responsibly disclosed the vulnerabilities to Microsoft on March 23, 2024. While Microsoft classified the flaw as medium severity, Check Point’s proof-of-concept revealed a more serious reality.

Related Posts:

• Hacker forged Windows 11 upgrade website to trick users to download the virus
• Microsoft’s “Edit” Text Editor Coming to Windows 11 Command Line
• UK Forges Strategic AI Alliance with OpenAI to Boost Infrastructure and Safety Research
• Cybercriminals Go Mobile: Executives Targeted in Advanced Phishing Campaigns