Skip to content

Exploiting Microsoft Teams Impersonation and Spoofing Vulner... #1552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Exploiting Microsoft Teams Impersonation and Spoofing Vulner... #1552

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
- [Detecting Phishing](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md)
- [Discord Invite Hijacking](generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md)
- [Homograph Attacks](generic-methodologies-and-resources/phishing-methodology/homograph-attacks.md)
- [Microsoft Teams Impersonation Spoofing](generic-methodologies-and-resources/phishing-methodology/microsoft-teams-impersonation-spoofing.md)
- [Mobile Phishing Malicious Apps](generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md)
- [Phishing Files & Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md)
- [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md)
Expand Down
8 changes: 8 additions & 0 deletions src/generic-methodologies-and-resources/phishing-methodology/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -616,6 +616,14 @@ Defence tips:
- Execute crawlers with mobile‑like fingerprints and JS enabled to reveal gated content.
- Alert on suspicious 500 responses following `POST /detect` on newly registered domains.

## Messaging / Collaboration Platforms

- Microsoft Teams: impersonation/spoofing primitives (notification sender spoofing, chat/call display-name tampering, unlabeled edits)

{{#ref}}
microsoft-teams-impersonation-spoofing.md
{{#endref}}

## References

- [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)
Expand Down
115 changes: 115 additions & 0 deletions ...es-and-resources/phishing-methodology/microsoft-teams-impersonation-spoofing.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
# Microsoft Teams Impersonation & Notification Spoofing (CVE-2024-38197)

{{#include ../../banners/hacktricks-training.md}}

Abusing client-controlled fields in Microsoft Teams messages and call setup allowed convincing identity spoofing and stealth message history manipulation across clients (now patched by Microsoft). These primitives are highly relevant for social engineering, BEC, and real-time voice/video impersonation scenarios.

Note: Microsoft fixed all issues disclosed by Check Point Research by Oct 2025. The notification sender spoofing was tracked as CVE-2024-38197.

## Scope, IDs and Relevant Fields
- User identifiers (examples): `8:orgid:<UUID>` discovered when enumerating conversations/messages.
- Message send body commonly includes:
- `content` (HTML-wrapped message body)
- `messagetype` (e.g., `"RichText/Html"`)
- `clientmessageid` (client-generated unique ID)
- `imdisplayname` (sender display name rendered by some clients/notifications)
- Server response provides `OriginalArrivalTime` (Unix ms), used by clients for edit/delete/quote alignment.

## 1) Edit Without “Edited” Label via clientmessageid Reuse
Some clients correlate the rendered message to the `clientmessageid`. Re-sending a message reusing the original `clientmessageid` would display the new content as if it were the original, omitting the “Edited” marker.

Example sequence (conceptual):
```json
// Initial send
{
"content": "<div>Quarter numbers draft</div>",
"messagetype": "RichText/Html",
"clientmessageid": "2711247313308716623",
"imdisplayname": "Alice"
}
// Response includes
// OriginalArrivalTime = 1709414616944

// Replacement send (reusing clientmessageid)
{
"content": "<div>Final numbers approved</div>",
"messagetype": "RichText/Html",
"clientmessageid": "2711247313308716623",
"imdisplayname": "Alice"
}
```
Effect: Recipients see the updated text without any “Edited” badge, enabling stealthy history manipulation.

Detection ideas:
- Two distinct sends sharing the same `clientmessageid`.
- Discrepancy between `OriginalArrivalTime` ordering and rendered content sequence.

## 2) Notification Sender Spoofing (CVE-2024-38197)
Earlier Teams clients rendered notification sender strings from a client-supplied field (e.g., `imdisplayname`) without sufficient canonicalization/validation. Bots/webhooks could forge the sender shown in toast/lock‑screen notifications.

Concept payload:
```json
{
"content": "<div>Urgent: approve the transfer now</div>",
"messagetype": "RichText/Html",
"clientmessageid": "<new-guid>",
"imdisplayname": "CEO - John Smith"
}
```
Impact: Highly convincing spoof of trusted identities in notifications, driving immediate user action. Fixed by Microsoft; tracked as CVE-2024-38197.

Detection ideas:
- Notification events where the displayed sender differs from the canonical directory identity (UPN/objectID).
- Inbound messages from external/bot contexts carrying unexpected `imdisplayname` patterns (role/exec names).

## 3) 1:1 Chat Display-Name Tampering via Topic API
Teams exposes a "topic" property setter for group chats. Mis-scoping allowed altering the visible name of a 1:1 chat using the same endpoint, misleading participants about the conversation context/peer.

Endpoint abused:
```
PUT /api/chatsvc/emea/v1/threads/`<ConversationID>`/properties?name=topic
```
Effect: Private chat appears relabelled (e.g., "Finance - Approvals"), eroding identity/context assurances.

Detection ideas:
- Property changes to 1:1 threads using the group-topic endpoint.
- Sudden 1:1 thread rename events not initiated by the tenant’s client versions expected to enforce scope.

## 4) Caller Identity Spoofing in Audio/Video Calls
During call setup, the client posts to an endpoint where the incoming-call UI renders `participants[].displayName`. Setting an arbitrary displayName forged the identity shown in ringing/in-call views.

Call setup (conceptual):
```
POST /api/v2/epconv
```
Payload excerpt:
```json
{
"participants": [
{ "id": "8:orgid:37f85325...", "displayName": "CEO John Smith" }
],
"modalities": ["audio", "video"]
}
```
Effect: Targets see an incoming call labelled as a chosen identity, enabling real-time voice/video impersonation.

Detection ideas:
- Compare displayed caller name vs. authoritative directory attributes associated with the participant `id`.
- Alert on call invites from external/guest contexts that inject privileged-looking display names.

## Operator Notes (Prereqs & TTPs)
- Actor must be able to message/call within the target tenant (guest access or insider).
- Useful data points: `clientmessageid`, `imdisplayname`, `OriginalArrivalTime`, user IDs like `8:orgid:...`.
- Even though fixes are deployed, similar trust‑signal weaknesses are common across collaboration platforms; always test whether display strings are treated as authoritative identities.

## Defensive Guidance (High Level)
- Treat notification and call UI display fields as untrusted; ensure clients map to and render canonical identities (UPN/objectID) rather than payload-provided strings.
- Detect reuse of `clientmessageid` across multiple sends and reconcile UI vs. timeline metadata.
- Flag thread-topic changes on 1:1 chats.
- Educate users to verify sensitive/urgent requests via out-of-band channels and to inspect profile cards/UPNs, not just the display name.

## References

- [Exploiting Microsoft Teams: Impersonation and Spoofing Vulnerabilities Exposed (Check Point Research)](https://research.checkpoint.com/2025/microsoft-teams-impersonation-and-spoofing-vulnerabilities-exposed/)

{{#include ../../banners/hacktricks-training.md}}
7 changes: 5 additions & 2 deletions src/pentesting-web/xs-search/css-injection/less-code-injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
## LESS Code Injection leading to SSRF & Local File Read
# LESS Code Injection leading to SSRF & Local File Read

{{#include ../../../banners/hacktricks-training.md}}

LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.

Expand Down Expand Up @@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \

* [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
* [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
{{#include ../../../banners/hacktricks-training.md}}