Invasion of the message body snatchers! Teams flaw allowed crims to impersonate the boss
Summary
Microsoft Teams contained four now-patched vulnerabilities discovered by Check Point that allowed attackers to tamper with chat messages, spoof notifications and calls, rename chats, and overwrite message history without leaving an “Edited” trace. The flaws exploited message identifiers, notification parameters, a hidden conversation topic field and call initiation requests to impersonate executives and fabricate credible interactions.
Check Point demonstrated chained attacks where a guest user could pose as a senior executive, send urgent instructions and follow with a forged video call — a plausible route to financial fraud, credential theft or malware delivery. Microsoft was notified in March 2024 and rolled out fixes through 2024, completing the final patch for the caller identity issue in October 2025.
Key Points
- Four Teams flaws allowed silent message overwrites, spoofed notifications, chat renaming and forged caller IDs.
- Attackers could remove the audit trail by reusing message IDs, effectively rewriting chat history without an “Edited” marker.
- Spoofed alerts and forged calls could be made to appear from senior executives, increasing the risk of targeted fraud.
- Check Point disclosed the issues in March 2024; Microsoft issued patches across 2024 and finalised fixes in Oct 2025.
- Organisations should treat collaboration platforms as high-value attack surfaces and adopt layered defences like zero-trust, DLP and anomaly detection.
Context and relevance
With more than 320 million monthly Teams users, these vulnerabilities undermine the basic trust on which workplace communication relies. As collaboration tools, workflows and AI assistants blend together, manipulating what people see becomes a powerful attack technique that bypasses traditional perimeter defences. This incident is a timely reminder to secure not just systems but what people believe those systems tell them.
Why should I read this?
Short and blunt: if your organisation uses Teams (which most do), this is the sort of trick that lets crooks pretend to be the boss and trick staff into handing over money or credentials. Read it to understand what went wrong, why the patches matter, and what simple changes — more scepticism around urgent requests, verification steps, and layered controls — you should push for now.