top of page
Search

Microsoft Teams Guest Chat Flaw Exposes Users to Malware Attacks

  • Nov 26, 2025
  • 2 min read

Key Findings


  • Microsoft Teams' "Guest Access" feature allows attackers to bypass security controls like Microsoft Defender for Office 365, creating a "protection-free zone" for malware delivery.

  • Attackers can easily create basic Microsoft 365 accounts without security features and use them to send phishing links and malware to guest users.

  • A recent Microsoft feature that allows any Teams user to start a chat with any email address makes it even easier for attackers to lure victims into the unprotected environment.

  • Experts urge immediate action to limit guest invitations to only trusted domains to mitigate this serious architectural problem.


Background


Microsoft Teams has become a crucial communication tool for businesses globally, leading security teams to invest heavily in protection services like Microsoft Defender for Office 365. However, new research from security firm Ontinue reveals a significant security flaw in the standard setup of Microsoft Teams' collaboration with external partners, known as B2B Guest Access.


Bypass of Security Controls


The problem lies in the way security is managed when employees work with external groups. When a user accepts a guest invitation and joins another company's chat, their security is no longer determined by their home organization. Instead, the research found that security is controlled "entirely by that hosting environment."


This means that the moment a user accepts a guest invite, they instantly lose all their home security features, including Safe Links and Zero-hour Auto Purge (ZAP), which are designed to protect against malicious links and messages.


Attackers Exploiting the Flaw


Attackers are well aware of this security gap and can create their own basic Microsoft 365 accounts with security policies completely switched off, effectively creating a "protection-free zone." These basic accounts lack security packages like Defender, making them unprotected by default, and requiring minimal resources for the attacker to set up.


The Easy Way In


Further exacerbating the problem is a recent Microsoft feature that allows any Teams user to start a chat with any email address, even people not currently using Teams. The victim receives a genuine-looking Microsoft invitation and needs only a single click to enter the malicious, unprotected environment.


Experts Urge Immediate Action


Industry leaders have emphasized that this is a serious architectural problem that requires a configuration change, not just a patch. They recommend that organizations limit guest invitations to only those domains they explicitly trust and ensure that access is appropriately limited and activity tied to sensitive systems is consistently monitored.


Sources


  • https://hackread.com/microsoft-teams-guest-chat-flaw-malware/

  • https://thehackernews.com/2025/11/romcom-uses-socgholish-fake-update.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page