Cybersecurity researchers from Check Point Research (CPR) have disclosed significant vulnerabilities within Microsoft Teams that enable impersonation and file spoofing. The discovered flaws permit an attacker to manipulate the appearance of file attachments, making malicious files appear as legitimate content from a trusted source within an organization’s SharePoint.

The exploit involves sending a specially crafted Adaptive Card in a Teams message. These cards can be designed to include a deep link pointing to a file hosted on an external, attacker-controlled SharePoint server, rather than the organization’s own SharePoint site. This technique effectively masks the true origin of the file.

Understanding the Spoofing Mechanism

The core of the vulnerability lies in how Microsoft Teams generates a preview for files linked within an Adaptive Card. An attacker can craft a post that displays a preview of a file with a deceptive filename and icon, such as a PDF or image file. However, the link itself directs the victim to a completely different file, like a malicious executable, hosted on the attacker’s external SharePoint.

When a user clicks on the seemingly harmless file preview, they are instead prompted to download the malicious payload. Because the preview card appears legitimate and seems to originate from a trusted SharePoint source, the likelihood of a user downloading the file increases. This method bypasses typical user scrutiny applied to files from unknown external sources.

Demonstrated Attack Capabilities

The research demonstrated that this technique can be utilized by attackers for several malicious purposes. The primary capability is the delivery of malware under the guise of safe, routine business documents. This bypasses security controls and user awareness training by leveraging the trusted environment of Microsoft Teams.

According to the report, this method can also be used for information gathering and to facilitate lateral movement within an organization’s network once an initial foothold is gained. The vulnerabilities were reported to Microsoft on January 16, 2024. At the time of the report’s publication, Microsoft had acknowledged the issue and stated a fix would be deployed in a future release.

Source: https://research.checkpoint.com/2025/microsoft-teams-impersonation-and-spoofing-vulnerabilities-exposed/