Cybersecurity researchers have disclosed particulars of 4 security flaws in Microsoft Groups that might have uncovered customers to severe impersonation and social engineering assaults.
The vulnerabilities “allowed attackers to govern conversations, impersonate colleagues, and exploit notifications,” Verify Level mentioned in a report shared with The Hacker Information.
Following accountable disclosure in March 2024, among the points had been addressed by Microsoft in August 2024 below the CVE CVE-2024-38197, with subsequent patches rolled out in September 2024 and October 2025.
In a nutshell, these shortcomings make it potential to change message content material with out leaving the “Edited” label and sender id and modify incoming notifications to alter the obvious sender of the message, thereby permitting an attacker to trick victims into opening malicious messages by making them seem as if they’re coming from a trusted supply, together with high-profile C-suite executives.
The assault, which covers each exterior visitor customers and inside malicious actors, poses grave dangers, because it undermines security boundaries and allows potential targets to carry out unintended actions, corresponding to clicking on malicious hyperlinks despatched within the messages or sharing delicate knowledge.
On prime of that, the failings additionally made it potential to alter the show names in personal chat conversations by modifying the dialog matter, in addition to arbitrarily modify show names utilized in name notifications and throughout the name, allowing an attacker to forge caller identities within the course of.
“Collectively, these vulnerabilities present how attackers can erode the elemental belief that makes collaboration workspace instruments efficient, turning Groups from a enterprise enabler right into a vector for deception,” the cybersecurity firm mentioned.
Microsoft has described CVE-2024-38197 (CVSS rating: 6.5) as a medium-severity spoofing problem impacting Groups for iOS, which may enable an attacker to change the sender’s identify of a Groups message and doubtlessly trick them into disclosing delicate data by way of social engineering ploys.
The findings come as menace actors are abusing Microsoft’s enterprise communication platform in numerous methods, together with approaching targets and persuading them to grant distant entry or run a malicious payload below the guise of help personnel.
Microsoft, in an advisory launched final month, mentioned the “intensive collaboration options and international adoption of Microsoft Groups make it a high-value goal for each cybercriminals and state-sponsored actors” and that its messaging (chat), calls, and conferences, and video-based screen-sharing options are weaponized at totally different phases of the assault chain.
“These vulnerabilities hit on the coronary heart of digital belief,” Oded Vanunu, head of product vulnerability analysis at Verify Level, advised The Hacker Information in an announcement. “Collaboration platforms like Groups at the moment are as crucial as electronic mail and simply as uncovered.”
“Our analysis reveals that menace actors needn’t break in anymore; they simply have to bend belief. Organizations should now safe what individuals imagine, not simply what methods course of. Seeing is not believing anymore, verification is.”
