Nov 04, 2025Ravie Lakshmanan
Cybersecurity researchers have disclosed particulars of 4 safety flaws in Microsoft Groups that might have uncovered customers to severe impersonation and social engineering assaults.
The vulnerabilities “allowed attackers to control conversations, impersonate colleagues, and exploit notifications,” Test Level stated in a report shared with The Hacker Information.
Following accountable disclosure in March 2024, a few of the points had been addressed by Microsoft in August 2024 below the CVE CVE-2024-38197, with subsequent patches rolled out in September 2024 and October 2025.
In a nutshell, these shortcomings make it potential to change message content material with out leaving the “Edited” label and sender id and modify incoming notifications to alter the obvious sender of the message, thereby permitting an attacker to trick victims into opening malicious messages by making them seem as if they’re coming from a trusted supply, together with high-profile C-suite executives.
The assault, which covers each exterior visitor customers and inner malicious actors, poses grave dangers, because it undermines safety boundaries and allows potential targets to carry out unintended actions, reminiscent of clicking on malicious hyperlinks despatched within the messages or sharing delicate information.
On prime of that, the failings additionally made it potential to alter the show names in personal chat conversations by modifying the dialog matter, in addition to arbitrarily modify show names utilized in name notifications and throughout the name, allowing an attacker to forge caller identities within the course of.
“Collectively, these vulnerabilities present how attackers can erode the basic belief that makes collaboration workspace instruments efficient, turning Groups from a enterprise enabler right into a vector for deception,” the cybersecurity firm stated.
Microsoft has described CVE-2024-38197 (CVSS rating: 6.5) as a medium-severity spoofing concern impacting Groups for iOS, which might permit an attacker to change the sender’s identify of a Groups message and probably trick them into disclosing delicate info by way of social engineering ploys.
The findings come as risk actors are abusing Microsoft’s enterprise communication platform in varied methods, together with approaching targets and persuading them to grant distant entry or run a malicious payload below the guise of help personnel.
Microsoft, in an advisory launched final month, stated the “intensive collaboration options and world adoption of Microsoft Groups make it a high-value goal for each cybercriminals and state-sponsored actors” and that its messaging (chat), calls, and conferences, and video-based screen-sharing options are weaponized at completely different levels of the assault chain.
“These vulnerabilities hit on the coronary heart of digital belief,” Oded Vanunu, head of product vulnerability analysis at Test Level, informed The Hacker Information in an announcement. “Collaboration platforms like Groups at the moment are as crucial as electronic mail and simply as uncovered.”
“Our analysis reveals that risk actors need not break in anymore; they only must bend belief. Organizations should now safe what individuals imagine, not simply what techniques course of. Seeing is not believing anymore, verification is.”
