| ⓘ We are reaching out to let you know there is a vulnerability in Microsoft Teams that allows threat actors to impersonate valid users. |
Attention constituent:
A vulnerability in Microsoft Teams can allow both external & insider threat actors to spoof identities, manipulate messages and notifications, and forge caller names in calls. Teams is a trusted collaboration tool, these manipulations make social-engineering attacks (tricks that exploit trust) much more convincing and dangerous.
Advisory Overview
|
| Advisory Type |
Non-technical |
| Author |
Leon Strachan |
| Date |
5 November 2025 |
What’s Happening
|
| Affected Systems |
This flaw exists across Microsoft 365 and hybrid environments. Organizations that permit external guest access or rely on bring-your-own-device (BYOD) policies face a higher risk of exploitation. Until fully patched, all users should remain cautious, verify unexpected requests, and ensure Teams is updated to the latest version. |
| What this Means |
Threat actors can alter display fields inside Teams (like the name shown on a message or a call notification) so the recipient thinks the communication came from a trusted person, for example a manager or CEO. Threat actors can also edit message content without leaving obvious traces and change the conversation name shown in private chats. |
What to Look For
|
| Signs You May Be at Risk |
You may be at risk if you or your organization use Microsoft Teams. The risk increases if external guests are allowed in your Teams environment or if employees use personal devices that aren’t managed or patched regularly. |
| Signs You May Be Affected |
Signs include mismatched display names that don’t align with the sender’s actual account, messages that appear edited without showing the usual “Edited” label, and call notifications displaying forged or unfamiliar names. Private chat topics may change unexpectedly, misleading participants about the conversation’s context. Suspicious behavior from guest or external accounts, especially those sending urgent or high-level requests, is another key red flag. |
What to Do
|
| Prevention |
Verify unusual or urgent requests:
- If you get an unexpected request that asks for money, credentials, or confidential files, verify by a second channel: phone call, SMS, or face-to-face. Don’t reply in the same Teams thread.
- Use a known number or contact method not the contact details supplied in the suspicious message.
Pause before acting on urgent instructions:
- Attackers rely on urgency. Stop, think, and ask “Why is this happening now?” If a request is urgent and unusual, treat it as suspicious.
Be cautious with attachments and links:
- Don’t open attachments or click links from unknown senders. If a link is expected, confirm its legitimacy first. When in doubt, forward it to your IT/security team.
Limit and review guest access:
- Teams owners and admins should restrict what external guests can do (posting, changing conversation topics, creating meetings) and review guest memberships regularly.
Keep software updated:
- Install Teams updates as they’re released. Vendors often patch these types of issues quickly. Encourage mobile users to enable automatic updates.
Report suspicious activity immediately:
- If you suspect spoofing or a social-engineering attempt, notify your IT or security team and preserve the message or call details (don’t delete them).
Train and remind staff regularly:
- Short, frequent reminders and real examples of spoofing/social engineering strengthen vigilance more than a single annual training.
|
| Mitigation |
- Ensure that all devices running Teams are updated to the latest version released by Microsoft.
- Limit guest access and external collaboration to only trusted users, and review permissions regularly to reduce the attack surface.
- Encourage staff to verify unusual or urgent requests through a secondary channel, such as a phone call or separate messaging platform, rather than acting solely on Teams notifications.
- Implement device management policies for BYOD devices to enforce updates and compliance.
- Raise awareness and training among employees about spoofing and social-engineering risks to reinforce vigilance.
|
Should you require additional information or further support, submit a report on our website or contact us at [email protected].
Best,
Leon Strachan
Security Operations Centre
National Computer Incident Response Team of The Bahamas

|