Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams.
“When users operate as guests in another tenant, their protections are determined entirely by that hosting environment, not by their home organization,” Ontinue security researcher Rhys Downing said in a report.
“These advancements increase collaboration opportunities, but they also widen the responsibility for ensuring those external environments are trustworthy and properly secured.”
The development comes as Microsoft has begun rolling out a new feature in Teams that allows users to chat with anyone via email, including those who don’t use the enterprise communications platform, starting this month. The change is expected to be globally available by January 2026.
“The recipient will receive an email invitation to join the chat session as a guest, enabling seamless communication and collaboration,” Microsoft said in its announcement. “This update simplifies external engagement and supports flexible work scenarios.”
In the event the recipient already uses Teams, they are notified via the app directly in the form of an external message request. The feature is enabled by default, but organizations can turn it off using the TeamsMessagingPolicy by setting the “UseB2BInvitesToAddExternalUsers” parameter to “false.”
That said, this setting only prevents users from sending invitations to other users. It does not stop them from receiving invitations from external tenants.
At this stage, it’s worth mentioning that guest access is different from external access, which allows users to find, call, and chat with people who have Teams but are outside of their organizations.
The “fundamental architectural gap” highlighted by Ontinue stems from the fact that Microsoft Defender for Office 365 protections for Teams may not apply when a user accepts a guest invitation to an external tenant. In other words, by entering the other tenant’s security boundary, the user is subjected to security policies where the conversation is hosted and not where the user’s account lives.
What’s more, it opens the door to a scenario where the user can become an unprotected guest in a malicious environment that’s dictated by the attacker’s security policies.
In a hypothetical attack scenario, a threat actor can create “protection-free zones” by disabling all safeguards in their tenants or avail licenses that lack certain options by default. For instance, the attacker can spin up a malicious Microsoft 365 tenant using a low-cost license such as Teams Essentials or Business Basic that doesn’t come with Microsoft Defender for Office 365 out of the box.
Once the unprotected tenant is set up, the attacker can then conduct reconnaissance of the target organization to gather more information and initiate contact via Teams by…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
