Flaws in Microsoft Teams Open Door for Attackers

Key Takeaways

• Vulnerability: Attackers can rewrite past chat messages and spoof call notifications to impersonate colleagues.
• Risk: Undermines audit trails and enables CEO fraud/social engineering.
• Remediation: Patched by Microsoft as of October 2025; organisations must verify all clients are updated.

Security researchers have uncovered several serious vulnerabilities in Microsoft Teams that could allow attackers to impersonate colleagues, rewrite chat messages, and spoof call notifications without detection. These flaws threaten the integrity and trustworthiness of communications within one of the world’s most widely used collaboration platforms.

How does the chat message tampering work?

The first major issue involves the ability to tamper with chat messages. MS Teams assigns a unique identifier to each message, but researchers found that attackers could reuse these identifiers to overwrite earlier messages. This allowed them to change the content of previous conversations without triggering the usual “edited” label or creating an audit trail, making it nearly impossible for users to notice that anything had been altered.

Can attackers forge identities in Teams?

Yes, a specific set of vulnerabilities enabled attackers to forge identities. By manipulating the way Teams displays sender names and call notifications, cybercriminals could make messages and calls appear as if they were coming from trusted individuals such as executives or colleagues.

This flaw created a significant opportunity for social engineering attacks. For example, a threat actor could impersonate a CEO and request sensitive information, financial transfers, or access to internal resources.

The vulnerabilities were not limited to text-based communication. Attackers could also spoof caller identities during voice or video calls, further eroding trust in the platform’s integrity. The ability to rename identities within chats further amplified risk, as users could be misled into thinking they were interacting with legitimate team members.

What are the risks to organisations?

These flaws pose severe risks to organisations across all sectors. Many companies rely on Microsoft Teams to discuss confidential matters or share documents involving financial instructions, strategic decisions, or regulated data. If attackers can manipulate messages and identities without leaving evidence, it becomes extremely difficult for companies to conduct incident investigations, perform audits, or verify the authenticity of past communications.

When were the patches released?

Microsoft was initially informed of these issues by Check Point Research in March 2024. Over the following months, the company began releasing patches, with full remediation completed by late October 2025. Although updates are deployed automatically, organisations are advised to verify that all clients - including older or unmanaged installations - are fully patched to avoid lingering exposure.

This incident underscores a broader concern regarding digital communication platforms: trust indicators such as usernames, message labels, or call notifications are not always reliable. As a result, security experts recommend adopting additional layers of verification, implementing stricter audit controls, and applying principles of zero-trust communication.