Ms Teams Guest Access Can Remove Defender Protection When Users...
Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams.
"When users operate as guests in another tenant, their protections are determined entirely by that hosting environment, not by their home organization," Ontinue security researcher Rhys Downing said in a report.
"These advancements increase collaboration opportunities, but they also widen the responsibility for ensuring those external environments are trustworthy and properly secured."
The development comes as Microsoft has begun rolling out a new feature in Teams that allows users to chat with anyone via email, including those who don't use the enterprise communications platform, starting this month. The change is expected to be globally available by January 2026.
"The recipient will receive an email invitation to join the chat session as a guest, enabling seamless communication and collaboration," Microsoft said in its announcement. "This update simplifies external engagement and supports flexible work scenarios."
In the event the recipient already uses Teams, they are notified via the app directly in the form of an external message request. The feature is enabled by default, but organizations can turn it off using the TeamsMessagingPolicy by setting the "UseB2BInvitesToAddExternalUsers" parameter to "false."
That said, this setting only prevents users from sending invitations to other users. It does not stop them from receiving invitations from external tenants.
At this stage, it's worth mentioning that guest access is different from external access, which allows users to find, call, and chat with people who have Teams but are outside of their organizations.
The "fundamental architectural gap" highlighted by Ontinue stems from the fact that Microsoft Defender for Office 365 protections for Teams may not apply when a user accepts a guest invitation to an external tenant. In other words, by entering the other tenant's security boundary, the user is subjected to security policies where the conversation is hosted and not where the user's account lives.
What's more, it opens the door to a scenario where the user can become an unprotected guest in a malicious environment that's dictated by the attacker's security policies.
Source: The Hacker News
