Microsoft Teams Guest Access Vulnerability Exposes Security Risks

Cybersecurity researchers have identified a significant vulnerability in Microsoft Teams' guest access feature that could potentially expose organizations to security risks. According to Ontinue security researcher Rhys Downing, when users join external tenants as guests, the security protections from Microsoft Defender for Office 365 do not apply.

Instead, the protections are dictated by the hosting environment, raising concerns about the security of those external environments. This vulnerability poses risks as Microsoft rolls out a new feature in Teams, which allows users to chat with anyone via email, including individuals who do not use the platform.

This feature is expected to be globally available by January 2026 and is designed to enhance communication and collaboration. However, organizations can disable this feature by adjusting the TeamsMessagingPolicy settings, although this only prevents sending invitations and not receiving them.

The core issue, as highlighted by Downing, is a 'fundamental architectural gap' where Microsoft Defender's protections may not be enforced when a user accepts an invitation to an external tenant. Threat actors could exploit this by creating 'protection-free zones' in their tenants by using low-cost licenses that lack necessary protections.

For example, an attacker might set up a Microsoft 365 tenant using the Teams Essentials or Business Basic licenses, which do not include Microsoft Defender for Office 365. Once established, the attacker can conduct reconnaissance on a target organization and initiate contact via Teams by sending a malicious invitation to the victim's email address.

Since the email originates from Microsoft's infrastructure, it bypasses traditional email security checks like SPF, DKIM, and DMARC, making it less likely to be flagged as malicious. If the victim accepts this invitation, they gain guest access in the attacker's tenant, where subsequent communication can involve phishing links or malware-laden attachments, all without the victim's organization being aware.

Downing emphasizes that their security controls will not trigger because the attack occurs outside their security boundary. To mitigate these risks, organizations are advised to restrict B2B collaboration settings to allow guest invitations only from trusted domains, implement cross-tenant access controls, and train users to be vigilant about unsolicited Teams invitations from external sources.

The Hacker News has reached out to Microsoft for comment regarding this vulnerability, and updates will be provided if a response is received.