Microsoft Teams Flaws Let Attackers Rewrite History — What Security Leaders Need to Know

They enable attackers to manipulate messages, spoof identities, and reshape the record inside one of the most widely used collaboration platforms on the planet.

With more than 320 million users relying on Teams for daily communication, approvals, and even incident coordination, these weaknesses highlight how collaboration tools have become prime real estate for attackers and a blind spot for many organizations.

Research identified four vulnerabilities in Microsoft Teams that, when chained or abused individually, open the door to subtle but high-impact manipulation:

Stealth message editing
Attackers could edit existing Teams messages without leaving the “edited” label.

Practical impact: an attacker (external or insider) could change payment instructions, meeting details, or approval messages after the fact while the conversation history still appears trustworthy.

Notification spoofing
Message notifications could be manipulated to appear as if they came from a different sender.

Practical impact: users might trust a popup that looks like it’s from a C-level executive or trusted colleague and act on it without verifying in the main Teams client.

Display-name tampering in private chats
Attackers could change the display name inside private chats, making it look like messages are coming from someone else.

Practical impact: this directly supports business email compromise–style scenarios inside Teams — think fake urgent requests for wire transfers, credentials, or sensitive documents.

Caller identity manipulation in audio/video calls
Flaws also allowed caller identities to be altered in Teams calls.

Practical impact: combined with vishing and deepfake voice/video trends, this becomes a potent channel for social engineering and executive impersonation.

Together, these capabilities move Teams from a passive collaboration tool to an active attack surface where identity, authenticity, and auditability can all be subverted.

Why This Matters Now

A few factors make these flaws particularly significant:

Teams is now a system of record

Organizations use Teams not just for chat, but for:

Approvals and sign-offs

Sharing credentials or links to admin portals

Incident coordination and executive decision-making

If an attacker can rewrite or re-label messages, they can reshape the narrative and evidence that auditors, insurers, or incident responders rely on.

BEC and social engineering are booming
The report lands amid a broader wave of business email compromise (BEC), vishing, and social engineering attacks targeting executives, boards, and high-value accounts. Teams gives adversaries another trusted channel to exploit.

Insider and external threats converge
The vulnerabilities can be abused by external attackers and malicious insiders. That dual nature amplifies risk, especially in large distributed organizations where internal controls rely on assumed identity integrity within collaboration tools.

How Microsoft Responded

Microsoft worked to address the reported issues and rolled out multiple fixes, each adding new logic layers to Teams to close off the manipulation paths.

Key points from the remediation timeline:

Microsoft tracked at least one of the issues as CVE-2024-38197, a notification spoofing vulnerability.

The company issued guidance on this flaw in 2024.

Additional related flaws were resolved in October 2025, with the most recent fixes focused on audio and video message identity issues.

Hardening Teams required deep platform changes, not just cosmetic patches, underscoring how complex modern collaboration stacks have become.

What Security and IT Teams Should Do Next

Even though Microsoft has released fixes, the research is a signal that collaboration platforms must be treated as critical security infrastructure, not just productivity tools.

Operational priorities:

Verify patching and update status

Ensure all Teams clients and related Microsoft 365 components are current.

Confirm your environment is covered for CVE-2024-38197 and the subsequent Teams fixes.

Re-evaluate trust in chat-based approvals

Avoid relying on a single Teams message as the authoritative source for high-risk actions (payments, access changes, data releases).

Enforce secondary verification channels or workflow tools for material business decisions.

Update social engineering playbooks

Expand training and simulations to include Teams-based impersonation, spoofed notifications, and manipulated chats, not just email phishing.

Teach staff to verify identities inside Teams, especially for unusual or high-urgency requests.

Tighten access and logging

Monitor for anomalous behavior in Teams: unusual edits, suspicious name changes, or unexpected call patterns.

Integrate Teams telemetry into your SIEM and incident response workflows.

The Bigger Lesson: Collaboration Apps Are the New Attack Frontier

This research reinforces a broader pattern: as organizations move decision-making and records of conversation into platforms like Teams, attackers follow the trust.

The flaws uncovered — now patched — show how easily identity signals and message history can be bent in a complex cloud collaboration stack. For security leaders, the takeaway is simple:

Treat Teams and similar platforms as high-value, high-risk applications.

Design controls, monitoring, and training assuming that messages, names, and notifications can be manipulated.

Build business processes that don’t hinge on a single unverified chat message.

Source

Find out if your Microsoft 365 environment is vulnerable to real-world attacks—review our M365 Security Assessment and book a 15-minute call.