"In a nutshell, these shortcomings make it possible to alter message content without leaving the "Edited" label and sender identity and modify incoming notifications to change the apparent sender of the message, thereby allowing an attacker to trick victims into opening malicious messages by making them appear as if they are coming from a trusted source, including high-profile C-suite executives."
"On top of that, the flaws also made it possible to change the display names in private chat conversations by modifying the conversation topic, as well as arbitrarily modify display names used in call notifications and during the call, permitting an attacker to forge caller identities in the process. "Together, these vulnerabilities show how attackers can erode the fundamental trust that makes collaboration workspace tools effective, turning Teams from a business enabler into a vector for deception," the cybersecurity company said."
Cybersecurity researchers disclosed four Microsoft Teams security flaws that enabled conversation manipulation, sender impersonation, and notification spoofing. The vulnerabilities permitted altering message content without leaving visible edit indicators, changing sender identity in notifications, and modifying display names in private chats and call notifications. Both external guest users and internal malicious actors could exploit these issues to trick targets into opening malicious links or sharing sensitive data. Responsible disclosure occurred in March 2024, and Microsoft addressed some issues under CVE-2024-38197 in August 2024, with additional patches released in September 2024 and October 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]