Ethical Hacking News
Microsoft Teams' guest access feature has been found to have a critical security flaw that allows attackers to bypass Microsoft Defender protections, leaving users vulnerable to phishing attacks. To safeguard against this vulnerability, organizations must take immediate action to restrict guest invitations, implement cross-tenant controls, and educate their employees on spotting suspicious invites.
Microsoft Teams has a critical security blind spot when it comes to external tenant guest access.Users joining external tenants via guest access can bypass Microsoft Defender for Office 365 protections, making them vulnerable to phishing and malware attacks.The lack of protection creates "protection-free zones" where attackers can conduct reconnaissance and initiate contact with targeted organizations through Teams.Organizations must restrict B2B collaboration settings, implement cross-tenant access controls, and limit external Teams communication to prevent attacks.Training users to watch out for unsolicited Teams invites from external sources is also crucial in preventing phishing attacks.
Microsoft's popular communication and collaboration platform, Microsoft Teams, has recently been found to have a critical security blind spot. The issue arises when users join external tenants using guest access features in Teams. Research by Ontinue security revealed that when users operate as guests in another tenant, their protections are entirely determined by the hosting environment, not by their home organization.
This means that even with Microsoft Defender for Office 365 protections enabled, users joining external tenants via guest access can bypass these defenses altogether. The lack of protection allows attackers to exploit this vulnerability and send phishing emails or distribute malware-laced attachments, which may land on the victim's mailbox without triggering any security checks due to its origin from Microsoft's infrastructure.
In other words, the email will pass through typical SPF, DKIM, and DMARC checks because it is sent from a legitimate source. This enables the attacker to create "protection-free zones" by disabling all safeguards in their tenants or utilizing licenses that lack certain options by default. Once these malicious environments are set up, attackers can conduct reconnaissance on targeted organizations to gather more information and initiate contact via Teams.
The email will be automatically sent to the victim's mailbox, with a guest invitation link to join the chat session. This link provides an entry point for hackers to gain control of the user account in the malicious environment. The attacker can then send phishing links or distribute malware-laced attachments by taking advantage of the lack of Safe Links and Safe Attachments scans.
The researchers concluded that organizations must take immediate action to safeguard against this line of attack. One recommended measure is to restrict B2B collaboration settings to only allow guest invitations from trusted domains, implement cross-tenant access controls, and limit external Teams communication if not required.
Training users to watch out for unsolicited Teams invites from external sources should also be a priority. The lack of protection in Microsoft Teams' guest access feature leaves users vulnerable to phishing attacks and other malicious activities. Organizations must address this security blind spot quickly to protect their employees and prevent potential breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/MS-Teams-Guest-Access-Exploited-A-Security-Blind-Spot-that-Leaves-Users-Vulnerable-to-Phishing-Attacks-ehn.shtml
https://thehackernews.com/2025/11/ms-teams-guest-access-can-remove.html
https://www.csoonline.com/article/4097381/microsoft-teams-guest-chat-feature-exposes-cross-tenant-blind-spot.html
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://cybersecuritynews.com/apt35-hacker-groups-internal-documents/
https://attack.mitre.org/groups/G0096/
https://www.fbi.gov/wanted/cyber/apt-41-group
Published: Fri Nov 28 03:15:04 2025 by llama3.2 3B Q4_K_M
