Microsoft teams Security Flaw Enables Attackers to Bypass Protections

Microsoft Teams’ new guest access feature, while designed to enhance collaboration, has inadvertently created a significant security vulnerability, allowing attackers to circumvent established defenses and possibly compromise sensitive data. A recent report from security firm Ontinue details how malicious actors are exploiting this functionality to invite users into insecure environments at scale.

The popular collaboration platform has become a mainstay for businesses seeking real-time interaction and file sharing. However,connecting to external environments-even with the best intentions-presents inherent risks. According to one threat researcher, “Effective protection is not inherent to [teams]; it emerges from how each tenant chooses to manage external access, identity boundaries, and integrated security controls.”

The Reality of Cross-Tenant Collaboration

The core of the problem isn’t a flaw within Teams itself, but rather the inherent security challenges of cross-tenant collaboration. Users operating as guests in another organization’s teams environment are not automatically protected by the security policies and processes of their own tenant. This means attackers can effectively bypass critical safeguards, including those offered by Defender for Office 365, such as Safe Links, zero-hour auto purge, and malware scanning, by enticing users into malicious tenants.

The urgency surrounding this issue stems from a new Microsoft feature, designated MC1182004, introduced earlier this month. This feature allows Teams users to initiate chats with anyone possessing an email address. Recipients receive an invitation to join as a guest,delivered either through Teams or directly via email-originating from Microsoft,and thus less likely to be flagged by standard email security filters.

Exploiting a Default Setting

Critically, the ability to send these invitations is enabled by default. Furthermore, essential security features are not included on lower-cost Teams licenses, such as Teams Essentials, Business Basic, or trial versions. This allows attackers to establish insecure tenants cheaply and efficiently, then invite unsuspecting victims en masse. While security teams can disable the sending of invitations using a PowerShell command, there is currently no mechanism to block incoming invitations.

One analyst at Ontinue described the feature as “a perfect attack vector for threat actors who understand how cross-tenant security actually works.” Once a user is lured into a compromised environment, attackers have a wide range of malicious options at their disposal. These include distributing phishing links without detection, deploying malware without triggering alerts, conducting sophisticated social engineering attacks, and exfiltrating sensitive data under false pretenses.

Mitigating the Risk

Fortunately, organizations can take proactive steps to protect their users. Ontinue recommends the following measures:

• Restrict B2B guest invitations to only allow connections from trusted domains.
• Implement robust cross-tenant access policies.
• Restrict external Teams communications where possible.
• Prioritize comprehensive user education regarding the dangers of unsolicited invitations and suspicious links.

Why: The security flaw allows attackers to bypass protections in Microsoft Teams, potentially compromising sensitive data.

Who: Attackers are exploiting the guest access feature. Users are at risk of being targeted. Security teams and organizations need to take