Four critical vulnerabilities in Microsoft Teams have been exposed, enabling attackers to impersonate executives, manipulate messages, and spoof notifications in ways that erode the platform’s foundational trust mechanisms.
These flaws, affecting over 320 million monthly active users worldwide, could facilitate executive impersonation, financial fraud, malware distribution, and misinformation campaigns within enterprise communications.
Disclosed responsibly to Microsoft in March 2024, the issues were fully patched by October 2025, with one officially tracked as CVE-2024-38197.
Launched in 2017 as part of Microsoft 365, Teams serves as a vital hub for chat, video calls, file sharing, and app integrations across global enterprises.
However, researchers Andrey Charikov and Oded Vanunu demonstrated how external guest users and malicious insiders could exploit these weaknesses to bypass security boundaries.
The evolving threat landscape, marked by state-sponsored APT groups targeting collaboration tools for espionage and business email compromise, underscores the urgency of such findings.
By subverting Teams’ trust model, attackers could rewrite conversation histories or forge identities, turning a productivity tool into a deception vector.
Vulnerabilities In Action
The research highlighted techniques for invisible message editing, where attackers reuse the “clientmessageid” parameter in JSON payloads to alter sent content without the standard “Edited” label, preserving a false narrative in chats.
Notification spoofing involved tampering with the “imdisplayname” field, making alerts appear from high-level executives and exploiting users’ instinctive trust in urgent pings from authority figures.
In private chats, modifying conversation topics via a PUT endpoint changed display names for both parties, misleading participants about their interlocutor’s identity.
For video and audio calls, forging caller identities occurred by altering the “displayName” in call initiation requests to /api/v2/epconv, allowing seamless impersonation during sensitive discussions.
These exploits, tested primarily on the web version, relied on Teams’ JSON processing for messaging and calls, revealing gaps in validation that amplified social engineering risks.
Real-World Risks and Resolutions
Attackers could leverage these flaws for BEC attacks, credential theft, or disrupting briefings by mimicking trusted sources, potentially leading to data exfiltration or privacy breaches.
In one proof-of-concept, a malicious bot crafted falsified payloads to convincingly impersonate users, extending beyond iOS-specific issues to broader clients.
Microsoft investigated promptly, confirming fixes that added validation layers without user action required.
Organizations are advised to adopt zero-trust controls, advanced threat prevention, and verification protocols to counter similar threats in collaboration platforms.
| CVE ID | Vulnerability Type | Affected Products | CVSS Score | Description |
|---|---|---|---|---|
| CVE-2024-38197 | Spoofing | Microsoft Teams (iOS up to 6.19.2; web clients) | 6.5 (Medium) | Improper validation of message sender fields allows misrepresentation of user identity, enabling notification spoofing and impersonation via falsified “from” attributes in payloads. Attack vector: Network; Low complexity; No privileges needed. |
