Application security, Identity, Endpoint/Device Security

Microsoft Teams flaws let attackers impersonate execs, manipulate messages

Microsoft Teams website on a tablet. Teams is a unified team communication and collaboration platform with workplace chat, video meetings, and file storage.

Check Point researchers found that attackers were exploiting flaws in the Microsoft Teams messaging application that let the bad actors impersonate executives, manipulate messages, and spoof notifications.

Some of the flaws were fixed by Microsoft in August 2024 in CVE-2024-38197, with other patches rolled out in September 2024 and last month.

But with more than 320 million monthly active users, Microsoft Teams has become a major attack vector for both nation-state and financially motivated cybercriminals — and the pace of attacks has stepped up of late.

In a Nov. 4 blog post, Check Point researchers said Microsoft Teams vulnerabilities are not isolated, they represent a larger trend: attackers exploiting the assumptions users make when communicating through familiar, trusted channels.

In one example explained by the Check Point researchers, by reusing unique identifiers in the Teams messaging system, attackers could alter the content of previously sent messages — without triggering the standard “Edited” label. This made it possible for attackers to modify sensitive conversations after the fact, eroding confidence in records and decisions.

The attackers could also spoof notifications, making it seem that a notification field on an alert was coming from a trusted executive or colleague as opposed to a hacker.

"These Microsoft Teams vulnerabilities show how social engineering can exploit human trust to make targets click malicious links, gain remote access, install rogue apps or share sensitive information,” said Mike Malone, founder and CEO at Smallstep. “When attackers can make a message appear to come from a trusted executive or IT admin, people are likely to act before they stop to verify. To better secure Teams, organizations need to move beyond user credentials and adopt device identity: verifying not just who’s signing in, but what device they're using and whether it’s trusted.”

Darren Guccione, co-founder and CEO at Keeper Security, added that cybercriminals are finding new ways to exploit trusted social collaboration platforms like Microsoft Teams, using compromised or newly created tenants to send phishing emails that appear legitimate.

“Employees should also be trained to recognize suspicious billing emails and avoid engaging with unverified support contacts,” said Guccione. “Using a password manager helps prevent credential reuse, which limits the damage if an account is compromised. As phishing tactics continue to evolve, businesses must stay ahead by combining strong authentication, security monitoring, and user awareness training.”

You can skip this ad in 5 seconds