Microsoft Teams Flaws Allowed Attackers to Fake Identities, Rewrite Chats

Microsoft Teams, the communication platform used by hundreds of millions worldwide, has been found to contain serious security vulnerabilities that could have let attackers impersonate executives, alter chat histories, and fake notifications. The findings come from Check Point Research, which examined how both external guests and malicious insiders could exploit Teams’ trust-based design.

MS Teams, which has become more than a chat app for many organisations, is where decisions are made, approvals are shared, and sensitive files are exchanged. According to Check Point’s analysis, attackers could tamper with conversations in ways that left almost no trace, making it difficult for users to spot manipulation after the fact.

One vulnerability allowed messages to be edited without displaying the usual “Edited” tag. This was possible if a threat actor reused unique identifiers within the Teams messaging system to rewrite earlier messages, altering the context of a discussion or even changing key details in a business exchange. Another issue enabled attackers to spoof notifications, making alerts appear as if they were sent by trusted executives or colleagues.

Researchers also discovered that an attacker could modify how names appeared in private chats by exploiting how Teams labels conversation topics. Both participants would see the altered name, creating confusion or leading one party to believe they were chatting with someone else. Even more concerning, the display name in call notifications could be forged, allowing attackers to pose as anyone during a voice or video call.

Fake CEO and altering display names (Image via CPR)

Microsoft addressed the issues after receiving Check Point’s disclosure in March 2024. The flaws were tracked as CVE-2024-38197, with patches rolled out over several months and final fixes completed in late October 2025. Users do not need to take action since the updates were applied automatically.

While these flaws have been fixed, collaboration tools have become prime targets for attackers. If a notification or display name can be altered, or if someone can pose as another person to join calls, the consequences go far beyond trust issues.

Such breaches can lead to serious financial losses, as seen recently when North Korean operatives were caught on video using AI filters to pose as Mexican engineers while applying for jobs at Western companies.