Microsoft’s pursuit of incrementally improving Teams has hit a snag, as researchers warn that a newly launched feature has created a worrying security risk.
The recently introduced guest chat feature has been found to potentially allow malicious actors to bypass standard security protections and deliver malware or phishing attacks directly to unsuspecting users.
The discovery, made by security firm Ontinue, is what experts are calling a “fundamental architectural gap” in the platform’s design.
Microsoft has declined to respond to media inquiries about the vulnerability since its discovery; however, the potential ways the issue can manifest have been outlined by the researchers.
The Feature Behind the Flaw
This vulnerability stems from a major new feature that Microsoft launched in November 2025 to make Teams far more useful for communicating with people who don’t use the platform or even have Microsoft accounts.
The update extends Teams’ use from an internal collaboration tool into something closer to a universal messaging platform that can reach anyone with an email address.
Previously, bringing external participants into Teams conversations required navigating a cumbersome administrative process. Guest access needed to be configured at the tenant level, IT departments had to approve external users, and security groups required careful adjustment to maintain proper controls.
Microsoft’s solution was to strip away virtually all of these barriers. The new feature allows any Teams user to send an invitation link directly to anyone’s email inbox. Once the recipient clicks that link, they can immediately start chatting within the Teams interface—no app installation required, no admin approval needed, and no Microsoft account necessary.
By removing the Microsoft account requirement, the platform could compete more directly with other messaging applications while still serving as the backbone for enterprise collaboration.
However, the ease of access that makes the feature attractive to users also created the security vulnerability researchers have now identified.
How Attackers Exploit the Architectural Gap
The attack method exploits a fundamental design decision about how security controls apply when users communicate across different Teams environments.
When someone accepts a guest chat invitation and joins a conversation, they do not operate under their own organization’s security protections.
“When users operate as guests in another tenant, their protections are determined entirely by that hosting environment, not by their home organization,”
Ontinue security researcher Rhys Downing said in a report.
This is where the danger lies, as in practice, a malicious actor can set up a Teams account with deliberately minimal security controls. They can configure their environment to lack the protective measures most organizations implement as standard—no malware scanning on file uploads, no link protection, no data loss prevention policies, and no threat detection systems.
With this intentionally vulnerable environment in place, the attacker can then send guest chat invitations that appear to come from Microsoft’s legitimate email infrastructure. When a victim accepts the invitation, they enter the attacker’s Teams environment and immediately become subject only to the security controls the attacker has chosen to implement.
The victim can now receive malicious files or phishing links without triggering alerts. Since the communication happens outside the victim’s own Teams tenant, their organization’s security infrastructure—email filters, endpoint protection, secure gateways, and monitoring tools—cannot inspect what is being shared in the conversation.
The attacker can distribute malware-laden documents that would normally be quarantined, share phishing links that would typically be blocked, or conduct business email compromise schemes by building trust through extended conversations.
Although users are often taught to avoid clicking unrecognized or suspicious links, the issue is that many assume their company’s security procedures still apply when using Teams. As a result, they let their guard down.
Protecting Your Organization From This Threat
Organizations need to implement several critical defensive measures immediately to mitigate risks while Microsoft works on addressing the underlying architectural problems. Waiting for a vendor fix is not an option when the feature is already enabled by default across millions of business accounts.
An effective immediate action is restricting external Teams invitations to trusted domains only. Most businesses can identify their regular partners, clients, and vendors who legitimately need this communication channel.
By configuring Teams to accept external chat invitations exclusively from these pre-approved domains, IT teams can dramatically reduce exposure to opportunistic attacks while maintaining necessary business relationships.
For organizations handling particularly sensitive data or operating in highly regulated industries, disabling the external chat feature entirely may be the most prudent approach until Microsoft resolves the architectural vulnerabilities.
Most crucially, employee education becomes essential in defending against this threat. Staff need to understand that using this feature may place them in a security environment different from their own, and they should therefore act with the same skepticism they would apply to unexpected emails.
Security teams could also establish clear protocols for handling unexpected Teams guest invitations. This might include mandatory reporting of all external invitations to IT security, requiring manager approval before accepting invitations from new contacts, or implementing verification processes where employees must independently confirm invitation legitimacy through separate communication channels.
These human-layer defenses matter because the technical nature of this vulnerability makes automated detection extremely difficult.
The Collision of Convenience and Security
This vulnerability represents more than a single technical flaw; it exposes the fundamental challenge enterprise collaboration platforms face as they push toward greater openness and accessibility.
Microsoft’s drive to make Teams a universal communication tool reflects genuine market demands and user needs. Businesses want to communicate seamlessly with partners, clients, and vendors without friction, and consumers increasingly expect workplace tools to work as smoothly as their personal messaging apps.
However, this incident demonstrates the difficulty of doing this in an increasingly tumultuous cyber landscape.
Security architecture must evolve in lockstep with accessibility features rather than being bolted on afterward. Yet the fact that this feature shipped enabled by default suggests the convenience imperative somewhat outweighed security considerations.
For businesses, this incident serves as a stark reminder that new features from even the most trusted vendors require careful security evaluation before deployment.
