Trust has always been the glue of digital collaboration, but new research shows it can also be the weak link.
Check Point Research has uncovered multiple vulnerabilities in Microsoft Teams that could allow bad actors to impersonate executives, alter chat history, and spoof notifications, all without detection.
With over 320 million active users, Teams has become a key channel for business communication, powering meetings, decisions, and day-to-day teamwork across organizations. But these new findings highlight how attackers can exploit the very trust that makes these platforms work.
“Trust alone isn’t a security strategy,” the researchers warned. “Collaboration tools are now a major attack surface.”
Collaboration as the New Attack Surface
For years, malefactors have targeted email as the easiest way into an organization, be it phishing, spoofing, or manipulating trust to steal data or money. Now, the same playbook is being applied to collaboration tools like Microsoft Teams, Slack, and Zoom.
These platforms aren’t just chat tools anymore; they’ve become integral to modern work, which makes them prime real estate for attackers. When people believe what they see (names, notifications, or messages) they’re far more likely to act without caution.
Check Point Research’s findings suggest that attackers are shifting focus from breaking systems to breaking trust. Whether it’s a manipulated message or a fake notification from an executive, these tactics can bypass traditional defenses by exploiting human behavior.
What the Researchers Found
Check Point Research conducted an in-depth analysis of Microsoft Teams, looking for weaknesses that could be abused by both external guests and malicious insiders. Their findings revealed several critical flaws:
First, invisible message editing. By reusing certain identifiers in Teams messages, threat actors could silently edit the content of past messages, without showing the familiar “Edited” label. This means a conversation could be rewritten after the fact.
Also, spoofed notitfications. Criminals could manipulate notification data so alerts appeared to come from trusted executives or colleagues. Since notifications are designed to grab attention, this could be used to trick users into urgent or risky actions.
Next, they found altered display names in private chats. By modifying the topic field in a private chat, an attacker could change the name displayed for that conversation. Both participants would see the altered title, creating confusion about who they were actually speaking with.
Finally, forged caller identity in calls. Perhaps the most concerning, the researchers found that an attacker could forge a caller’s display name during a video or audio call. This could make it appear that an incoming call came from a known, trusted contact, leaving the door wide open for social engineering or fraud.
A Direct Path For Sophisticated Social Engineering
Dray Agha, senior manager of security operations at Huntress, said: “Attackers could exploit these flaws to seamlessly impersonate internal colleagues, silently alter chat history, and spoof caller IDs in video calls. These flaws will create a direct path for sophisticated social engineering, enabling scenarios like executive impersonation to authorise fraudulent financial transactions, credential theft, or the delivery of malware through seemingly legitimate channels.”
Seeing Isn’t Believing
Oded Vanunu, Chief Technologist and Head of Product Vulnerability Research at Check Point Software, said these vulnerabilities hit at the heart of digital trust. “Collaboration platforms like Teams are now as critical as email and just as exposed. Our research shows that threat actors don’t need to break in anymore; they just need to bend trust.”
Vanunu adds that businesses must now secure what people believe, not just what systems process. As AI accelerates both collaboration and cybercrime, prevention-first security will determine which organizations stay resilient. Seeing isn’t believing anymore; verification is.”
Microsoft’s Response
Check Point Research responsibly disclosed the vulnerabilities to Microsoft in March 2024. Microsoft acknowledged the report under CVE-2024-38197 and issued a series of patches throughout the year. The final fix, addressing the call identity flaw, was completed in October 2025.
No user action is required to stay protected, as the updates were deployed directly by Microsoft.
Still, the implications go further than one product. These vulnerabilities show how cybercrooks can weaponize trust within collaboration environments, turning daily communication into a potential entry point for executive impersonation, financial fraud, malware delivery, and even misinformation campaigns.
A Wider Pattern
While Microsoft has patched these specific issues, the research points to a systemic problem. Wherever people interact through trusted digital systems, bad actors will look for (and find) ways to exploit that trust.
Check Point Research has identified similar risks in other platforms, from AI assistants that summarize messages to automation tools that connect workflows. The trend is there: as collaboration technology evolves, so does the opportunity for manipulation.
Learning From Mistakes
Roger Grimes, data driven defence evangelist at KnowBe4, added: “I think that anytime you hear about these types of vulnerabilities on one platform, you ask if they are possible on other platforms. The answer is probably, “Yes!” You’ve probably got other competitors today reading this report and starting to analyse their own products and services, and some of that research is finding similar problems within their own platform.”
Grimes once worked for a very large vendor, and they often saw these types of bug finding reports as an opportunity to look at their own stuff…and often found the same issues.
“We would sigh in relief, because at least this time it wasn’t our missed vulnerabilities being announced to the world. This time around, we were able to learn and fix our mistakes from the mistakes of a competitor. But we didn’t take advantage of the situation and talk badly about the competitor, because you don’t throw stones if you live in glass houses and you know the next time it could be you on the public firing line.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.