449/68 Thursday, November 6, 2025
Cybersecurity researchers have disclosed four vulnerabilities in Microsoft Teams that could allow attackers to impersonate coworkers, edit messages without being detected, and trick victims into believing that messages come from executives or trusted individuals. The issues were reported to Microsoft in March 2024, with partial fixes released in August 2024 under CVE-2024-38197, followed by additional patches in September 2024 and October 2025.
These vulnerabilities allowed attackers to modify message content without displaying the “Edited” label, alter notifications to change the sender’s name, and make it appear that a message originated from someone inside the organization—such as a senior executive or IT staff. This could lead victims to click malicious links or reveal sensitive information. Attackers could also spoof caller names during voice or video calls, change the title of private chats to alter the displayed participant name, and generate fake notifications during calls to mislead targets into believing they are communicating with a legitimate person.
Microsoft classified CVE-2024-38197 as a medium-severity vulnerability (CVSS 6.5) affecting sender-name spoofing in Teams for iOS, which could facilitate social engineering attacks aimed at extracting personal or corporate information.
Researchers warn that these weaknesses undermine trust in a platform used by more than 320 million users worldwide, and recommend that organizations implement stricter verification of message authenticity, notifications, and user identities within internal communication systems to prevent social engineering attacks.
Source https://thehackernews.com/2025/11/microsoft-teams-bugs-let-attackers.html
