What happened
Researchers from Check Point disclosed four security flaws in Microsoft Teams that enabled attackers to impersonate colleagues, edit messages without visible “Edited” labels, and spoof caller identities in chats and meetings. Microsoft patched some of the issues in August 2024 (under CVE‑2024‑38197) and rolled out further fixes in September 2024 and October 2025.
Who is affected
Any organization using Microsoft Teams, whether for internal users or external guests, is at risk. The flaws allow attackers to modify conversation topics and display names, forge notifications, and make malicious links appear to originate from trusted executives or colleagues.
Why CISOs should care
- These vulnerabilities attack the core of collaborative trust: the assumption that messages and calls come from the sender they claim to be. Exploiting that trust lets attackers bypass many traditional controls.
- As Teams is a high-value target due to its global adoption in chat, calls, and meetings, this kind of vulnerability creates a new vector for social engineering, credential theft, or data exfiltration.
- Because the flaws allow message editing without flagging and sender spoofing, detection may be delayed, and incident response may be made more difficult. Attackers can use compromised accounts to move laterally or gain higher-privileged access.
3 Practical actions
- Ensure full patch deployment: Confirm that your Teams deployments (on all platforms, including mobile) have applied the patches for CVE-2024-38197 and related fixes. Validate versions and build numbers as part of your asset inventory.
- Review collaboration platform permissions and guest access: Restrict unnecessary guest or external user access in Teams, tighten chat/call permissions, and enforce conditional access policies for sensitive groups.
- Enhance monitoring for anomalous behavior in Teams: Enable logging for edits, display name changes, and call notifications, and monitor for unusual patterns (for example, a message appearing to come from a C-suite executive with a link). Educate users to verify unusual requests via separate channels when in doubt.