Check Point Research discovered four Microsoft Teams vulnerabilities that let external guests and malicious insiders impersonate executives, edit messages without leaving an âEditedâ label, manipulate notifications, change private chat display names, and forge caller identities in calls. Microsoft addressed the issues after disclosure (one tracked as CVE-2024-38197) with fixes rolled out between May 2024 and October 2025. #MicrosoftTeams #CVE-2024-38197
Keypoints
- Check Point Research identified four distinct vulnerabilities in Microsoft Teams enabling message editing without trace, notification spoofing, private chat display-name manipulation, and caller identity forgery in calls.
- Both external guest accounts and malicious insiders can exploit these flaws to impersonate trusted personnel, including executives, undermining organizational trust.
- Real-world risks include executive impersonation, financial fraud, credential harvesting, malware delivery, misinformation campaigns, and disruption of sensitive briefings.
- The issues were responsibly disclosed to Microsoft on 23 March 2024 and were progressively fixed between 8 May 2024 and October 2025; one issue was tracked as CVE-2024-38197.
- Exploitation techniques rely on manipulating Teamsâ web JSON payloads and API parameters such as imdisplayname, displayName, clientmessageid, and conversation topic fields.
- Mitigations recommended include Zero Trust access controls, advanced threat prevention, DLP, user verification protocols, and heightened user awareness for out-of-band validation.
MITRE Techniques
- [T1195 ] Supply Chain Compromise â The article notes threat actors targeting widely-used platforms as part of broader campaigns, highlighting supply chain risks. (âSupply chain attacks targeting widely-used software platformsâ)
- [T1566 ] Phishing (Social Engineering) â Attackers use trusted communication channels and social engineering tactics via Teams to deceive users and induce actions. (âSocial engineering campaigns leveraging trusted communication channelsâ)
- [T1566.003 ] Spearphishing via Service â The research demonstrates crafting payloads (e.g., bot/webhook messages) that spoof senders within the Teams interface to impersonate trusted users. (âwe developed a proof-of-concept showing how a malicious bot or webhook could craft payloads with falsified âfromâ attributesâ)
- [T1589 ] Gather Victim Identity Information â Techniques described include credential harvesting and impersonation to obtain sensitive identity-related data for fraud or access. (âCredential harvesting operations targeting remote workforce toolsâ)
- [T1204 ] User Execution â Malware delivery scenarios rely on users clicking malicious links or executing content delivered via spoofed Teams messages or notifications. (âMalware Delivery: Attackers can send a spoofed notification⌠asking for urgent action or clicking a link, which then installs malware.â)
- [T1041 ] Exfiltration Over Command and Control (Data Exfiltration) â The report links manipulated communications to potential data exfiltration and advanced persistent threat activity. (âAdvanced Persistent Threats and Data Exfiltrationâ)
- [T1036 ] Masquerading â Impersonation and forged caller/display names in messages and calls reflect masquerading techniques to appear as legitimate internal users. (âan attacker could convincingly appear to be the CEOâ)
- [T1078 ] Valid Accounts â The findings show both guest accounts and malicious insiders abusing legitimate account contexts to bypass trust boundaries. (âboth external guest users and internal malicious actors can effectively transform their identity to appear as trusted personnelâ)
- [T1565 ] Stored Data Manipulation â The ability to edit messages without leaving an âEditedâ label and to alter conversation topics represents manipulation of stored message data. (âEdit Messages Without Trace: We discovered a method to alter the content of sent messages without leaving the usual âEditedâ label.â)
Indicators of Compromise
- [CVE ] vulnerability identifier reported and tracked â CVE-2024-38197
- [API Endpoint ] endpoints and request paths used in research/exploitation â POST /api/v2/epconv (call initiation), PUT /api/chatsvc/emea/v1/threads/
/properties?name=topic - [UUID/User ID ] internal user identifier format used to target/identify users â example: 8:orgid:37f85325
- [Message Parameters ] request fields and values leveraged for manipulation â clientmessageid 2711247313308716623, OriginalArrivalTime 1709414616944
- [Domain/URL ] research disclosure and briefing link â https://pages.checkpoint.com/2025-nov-ww-critical-microsoft-teams-vulnerabilities-uncovered.html