Hackers Can Exploit Microsoft Teams Vulnerabilities To Manipulate...

Critical vulnerabilities in Microsoft Teams, a platform central to workplace communication for over 320 million users worldwide, enable attackers to impersonate executives and tamper with messages undetected.

These vulnerabilities, now patched by Microsoft, allowed both external guests and insiders to spoof identities in chats, notifications, and calls, potentially leading to fraud, malware distribution, and misinformation.

Check Point disclosed the issue to Microsoft responsibly in March 2024. The issues highlight how trust in collaboration tools can be weaponized by sophisticated threat actors targeting remote work infrastructure.

Launched in 2017 as part of Microsoft 365, Teams integrates chat, video calls, file sharing, and apps, making it indispensable for businesses from startups to Fortune 500 companies.

Check Point’s investigation focused on the web version’s JSON-based architecture, where messages include parameters like content, messagetype, clientmessageid, and imdisplayname.

Attackers exploited these to edit messages without the “Edited” label by reusing clientmessageids, effectively rewriting history without traces.

Notifications could be manipulated by altering imdisplayname, making alerts appear from high-level executives like CEOs, exploiting users’ instinctive trust in urgent pings.

In private chats, modifying conversation topics via a PUT endpoint changed display names, misleading participants about the sender’s identity, as shown in before-and-after screenshots of altered interfaces.

Call initiations via POST /api/v2/epconv allowed forging displayName in participant sections, spoofing caller identities during audio or video sessions.

One flaw, notification spoofing, was tracked as CVE-2024-38197, a medium-severity issue (CVSS 6.5) affecting iOS versions up to 6.19.2, where sender fields lacked proper validation.​