Post

Exploiting Microsoft Teams Impersonation and Spoofing Vulnerabilities Exposed

Posted
By ictsec.pl
1 min read

Check Point Research uncovered four vulnerabilities in Microsoft Teams that allow attackers to impersonate executives, manipulate messages, alter notifications, and forge identities in video and audio calls. Both external guest users and malicious insiders could exploit these flaws, fundamentally breaking trust in a platform used by 320M+ people worldwide. Real-world risks include executive impersonation, financial fraud, malware delivery, misinformation campaigns, and disruption of sensitive communications.

Within each message sent, there’s a parameter called imdisplayname, which, by default, displays the sender’s name. Through our investigation, we’ve found that this parameter can be altered to any desired value. This manipulation results in the recipient receiving a notification that appears to come from someone other than the actual sender.

We discovered that the display name used in call notifications could be arbitrarily modified through specific manipulations of call initiation requests. This flaw allows an attacker to forge the caller identity, presenting any chosen name to the call recipient. During the call initiation phase, a JSON payload is sent to: POST /api/v2/epconv containing various parameters that define the call’s characteristics. Among these, the displayName parameter within the participants section is of particular interest. This parameter is intended to display the name of the caller as it appears to the recipient. By modifying the displayName value in the payload, we were able to alter the apparent identity of the caller. For instance, changing it to an arbitrary name results in the call recipient seeing a call incoming from the modified name, instead of the actual caller’s identity.

Now, let’s attempt to edit our message directly within MS Teams. Unfortunately, this action results in an “Edited” label appearing above our message. To bypass this, we can craft a new message and replace the clientmessageid with the value from our previous message – 2711247313308716623. This approach effectively masks our edit, making it undetectable to others.

To read the complete article see: Check Point Research

VULNERABILITIES
MICROSOFT TEAMS IMPERSONATION SPOOFING SECURITY VULNERABILITIES
This post is licensed under CC BY 4.0 by the author.