Skip to content

Exploiting Microsoft Teams Impersonation and Spoofing Vulner... #1552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Exploiting Microsoft Teams Impersonation and Spoofing Vulner... #1552

wants to merge 1 commit into from
+129 −2

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Nov 4, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Post focus
Check Point Research dissected four Microsoft Teams impersonation/spoofing vulnerabilities that let external guests or malicious insiders manipulate trust signals across chats, notifications, and calls. Microsoft addressed all issues by October 2025; the notification-spoofing bug is tracked as CVE-2024-38197 (initially noted in Teams for iOS). Impact spans executive impersonation, BEC-style fraud, malware delivery, misinformation, privacy breaches, and disruption of ...

🔧 Technical Details

Unlabeled message edits by reusing clientmessageid: If a chat system correlates messages by a client-supplied ID, send a new message reusing the original clientmessageid (e.g., 2711247313308716623) with different content. The UI may render the replacement without an "Edited" marker. Use response metadata like OriginalArrivalTime to reference or time-align edits.

Notification impersonation via display-name fields: Where notifications render a sender string sourced from payload fields (e.g., imdisplayname or similar "from" attributes), set it to a high-trust identity (e.g., “CEO”). Clients that don’t canonicalize/validate this will show a forged sender, driving high click-through and compliance (CVE-2024-38197).

1:1 chat relabeling by abusing group-topic endpoints: If a platform exposes a thread-topic property endpoint for group chats (e.g., PUT .../threads/<ConversationID>/pr...

🤖 Agent Actions

I analyzed the blog and HackTricks repo, searched for existing content on Microsoft Teams/message-based phishing techniques, and confirmed there was no dedicated coverage. I created a new concise, highly technical page under Phishing Methodology and linked it from the Phishing Methodology README.

What I added/changed:

  • New page: src/generic-methodologies-and-resources/phishing-methodology/microsoft-teams-impersonation-spoofing.md

    • Covers four techniques with precise fields/endpoints and example payloads:
      • Unlabeled edits via clientmessageid reuse
      • Notification sender spoofing (CVE-2024-38197) via imdisplayname
      • 1:1 chat relabeling via topic API (PUT /api/chatsvc/.../properties?name=topic)
      • Caller ID spoofing in calls via POST /api/v2/epconv using participants[].displayName
    • Includes identifiers and message parameters (content, messagetype, clientmessageid, imdisplayname, OriginalArrivalTime; user IDs like 8:orgid:...)
    • Detection ideas and concise defensive guidance
    • References section with the Check Point blog URL
    • Proper HackTricks banner includes

  • Linked the new page from Phishing Methodology README:

    • Added a “Messaging / Collaboration Platforms” section with a {{#ref}} link to the new page in:
      src/generic-methodologies-and-resources/phishing-methodology/README.md

No other sections were modified and no redundant content was added.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

  • MD files processed: 908
  • MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

@carlospolop
Copy link
Collaborator Author

carlospolop commented Nov 4, 2025

🔗 Additional Context

Original Blog Post: https://research.checkpoint.com/2025/microsoft-teams-impersonation-and-spoofing-vulnerabilities-exposed/

Content Categories: Based on the analysis, this content was categorized under "Phishing Methodology > Messaging/Collaboration Platforms > Microsoft Teams Impersonation & Notification Spoofing (CVE-2024-38197)".

Repository Maintenance:

  • MD Files Formatting: 908 files processed (1 files fixed)

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop