Imagine this: You’re on a Microsoft Teams call with others in your company, and on pops your boss with directives that seem awfully unusual to you. What he’s telling the team to do is reckless and completely contrary to the way the company normally does business.

But there he is – the boss – right there on live video, clearly giving you the instruction. What choice do you have but to follow it?

Except that it wasn’t your boss at all. It was a deep fake that mimicked both his likeness and his voice. This is one of the attacks that cyber criminals could have pulled off against millions of companies as a result of vulnerabilities that were recently discovered – and patched – in Microsoft Teams.

These same vulnerabilities could also have allowed hackers to alter messages, rewrite chat history and fake notifications or calls. Nothing would have alerted the users to any of it.

Microsoft was first alerted about the problem in March 2024 by a company called Check Point Software. It spent the next 19 months issuing patches, and didn’t complete the process until October 2025 – when it finally addressed what it called the “caller identity flaw.”

In other words, that’s not really your boss giving those directives. Sure looks and sounds like him, though. The most troubling scenario involves multiple levels – with a “guest user” posing as one of the company’s executives and sending some sort of urgent instruction, then following up with a video call that appears completely legitimate.

If the other team members buy it, the next action they take could set the company up for financial fraud, credential theft or malware delivery.

At the very least, a vulnerability like this could have seriously eroded trust in corporate settings, where more than 320 million users rely on Teams for all kinds of professional communication.

So what can you do within your company? Can you help it if big software providers like Microsoft have flaws in their products that leave you vulnerable?

No, but you can take steps.

What You Should Do

First, there is no reason your organization should make something like Microsoft Teams completely trust-based. You should implement zero-trust access controls so the system doesn’t just assume any particular user is safe and trustworthy. Because the user who appears to be that person might not be.

Every employee should have to also input verification credentials whenever they use the system, and the credentials should change regularly to ensure that hackers don’t get wise to them.

And if you use Slack or Zoom instead of Teams, don’t just assume this can’t happen with them either. The more companies rely on platforms like this, as well as on AI chatbots, the more points of vulnerability hackers will look to exploit.

Most critically, warn your employees: If something seems out of the ordinary, question it. An urgent directive from the CEO that isn’t consistent with how the CEO or the company normally does business should raise alarms. If that’s really your boss on that video feed, he should interact with you like he normally would. Test it.

Lamentable as it might seem, in the cyber world you can trust no one. Even if it looks and sounds exactly like someone you do trust. Because unless you’re sitting right next to that person in real life, it might be someone else.

If you need help getting your team on the right page with all this, call me at 616.217.3019, or email dacarey@cybersynergies.io.