Four security flaws allowed message manipulation and caller ID spoofing; all issues resolved after responsible disclosure
Four security flaws in Microsoft Teams has that allowed attackers to impersonate executives, manipulate messages, and forge identities in video calls have been patched. Disclosed by Check Point Research, the flaws, affecting the platform’s 320+ million monthly users, have been fully patched following responsible disclosure in March 2024.
The vulnerabilities undermined the trust mechanisms that organizations depend on for secure communication. Both external guest users and malicious insiders could exploit the flaws to appear as trusted personnel including executives, a critical breakdown in a platform that has become essential business infrastructure.
Four Key Attack Vectors
Check Point discovered multiple ways to manipulate Teams’ trust indicators:
- Message Editing Without Trace: Researchers found a method to alter sent messages without the typical “Edited” label appearing, making changes appear as part of the original message.
- Notification Spoofing: By manipulating specific parameters, attackers could make message notifications appear to come from different senders, such as the CEO or CFO. This exploited the natural trust and urgency users associate with executive communications.
- Private Chat Name Manipulation: Attackers could change how private conversations appeared to both participants by modifying conversation topics through an API endpoint, potentially misleading users about who they were communicating with.
- Call Identity Forgery: The display name in video and audio call notifications could be arbitrarily changed, allowing attackers to present any chosen identity to call recipients.
Attack Scenarios and Real-World Risks
The vulnerabilities enabled several concerning scenarios aligned with sophisticated threat actor techniques:
- Wire transfer fraud through executive impersonation
- Malware delivery via spoofed notifications from trusted sources
- Credential harvesting by impersonating IT staff
- Misinformation campaigns using false message histories
- Disruption of sensitive briefings through identity forgery
Check Point noted these attack vectors mirror tactics used by advanced persistent threat (APT) groups increasingly targeting collaboration platforms as part of espionage and data exfiltration campaigns.
CVE-2024-38197 and Related Issues
Microsoft officially tracked one of the vulnerabilities as CVE-2024-38197, a medium-severity spoofing issue. The company had previously noted that earlier Teams client versions didn’t properly validate message sender fields in limited cases.
The research expanded on this by demonstrating more impactful exploitation paths, showing how malicious bots or webhooks could craft payloads with falsified attributes that rendered convincingly within the Teams interface.
All fixes were deployed server-side, requiring no action from users or administrators. Microsoft confirmed all reported issues have been resolved.
Collaboration platforms are high-value targets for sophisticated threat actors. As remote work infrastructure becomes more common in essential business operations and hackers increasingly focus on exploiting trust in familiar communication tools, collaboration platforms require security scrutiny equivalent to any other critical business system
Visit Check Point’s full research report for full research information and timeline here.
Leave a Reply