Attackers can abuse Microsoft Teams guest chat to lure employees into “protection‑free” environments where Defender for Office 365 no longer shields them from malicious links or files.
The issue stems from how cross‑tenant collaboration is designed, not from an exploitable bug in Teams itself.
How The Attack Works
In November 2025, Microsoft began rolling out a feature (MC1182004) that lets any Teams user start a chat with “anyone with an email address,” even if that person has never used Teams before.
The recipient receives an invitation and, on acceptance, is added as a guest to the sender’s Microsoft 365 tenant and can chat, share files, and join calls from desktop, web, and mobile clients.
Security researchers warn that this model hides a key detail: once a user joins an external tenant as a guest, all Teams‑related protections are provided by the hosting (resource) tenant, not the user’s own organisation (home tenant).
Defender for Office 365 features such as Safe Links, Safe Attachments, Zero‑hour Auto Purge (ZAP), and time‑of‑click URL scanning only apply if the resource tenant owns the correct licences and policies and has them enabled.
An attacker can spin up a low‑cost Microsoft 365 tenant, for example, using Teams Essentials or Business Basic, which typically do not include Defender for Office 365.
In such “bare” environments, there are no Safe Links or Safe Attachments policies, no ZAP for Teams, and no advanced malware analysis, so malicious content flows unchecked.
The attacker then uses the “chat with any email” feature to invite targets identified through open‑source intelligence, such as LinkedIn, corporate sites, or breached contact lists.
Invitations are delivered via Microsoft infrastructure and pass SPF, DKIM, and DMARC, which means most email gateways treat them as trusted system messages.
If the victim already uses Teams, the invitation appears as an in‑app external chat request rather than an email, further lowering suspicion.
Once inside the attacker’s tenant, victims can receive phishing URLs that are never rewritten or scanned by Safe Links, as well as malware‑laden files that bypass Safe Attachments and are not automatically removed later by ZAP.
Because the entire exchange lives in the attacker’s tenant, the victim’s security team sees no Defender alerts, no suspicious URL blocks, and no incidents in their own console.
Mitigation and Response
The feature can be restricted at the tenant level, but not all controls are obvious.
Administrators can use Teams messaging policy to disable B2B email‑based invites for their own organisation by setting Set-CsTeamsMessagingPolicy -UseB2BInvitesToAddExternalUsers $false in PowerShell.
However, this does not block inbound invitations from other tenants.
To narrow who can collaborate as guests, Microsoft Entra External ID allows organisations to restrict B2B invitations to an approved domain list under External collaboration settings.
Entra cross‑tenant access settings provide an additional layer, letting security teams control which external tenants can establish B2B collaboration at all, and for which users, groups, or apps.
In parallel, Teams “External access” settings can be configured so that only specific external domains are allowed for chat and calling, rather than accepting traffic from any Microsoft 365 tenant by default.
Experts recommend pairing these technical controls with user awareness training that treats unexpected Teams guest invites like suspicious emails: users should verify the sending organisation, confirm they are out of band with known contacts, and be wary of external chats that quickly move to link sharing or remote‑tool requests.
Until organisations actively lock down B2B collaboration paths, attackers can continue to turn seemingly legitimate Teams guest chats into effective malware delivery channels that sidestep Defender for Office 365 entirely.
