Overview
- Researchers detailed four bugs that let attackers overwrite messages without the Edited label, spoof notifications, rename private chats, and forge caller identities.
- Microsoft tracked at least one issue as CVE-2024-38197, a medium-severity spoofing vulnerability on Teams for iOS that allowed alteration of a sender's name.
- Initial patches landed in August and September 2024, with the caller identity fix finalized at the end of October 2025.
- The flaws enabled convincing social engineering by both guest accounts and malicious insiders, raising risks of financial fraud, credential theft, malware delivery, and misinformation.
- Enterprises are urged to verify updated clients and adopt layered defenses such as zero-trust access controls, anomaly detection, strict guest policies, user verification, and data-loss prevention.