In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Stop Duplicates & Amazon Resellers Before They Strike

Protect your brand from repeat offenders. KeepCart detects and blocks shoppers who create duplicate accounts to exploit discounts or resell on Amazon — catching them by email, IP, and address matching before they hurt your bottom line.

Join DTC brands like Blueland and Prep SOS who’ve reclaimed their margin with KeepCart.

Try KeepCart free for 2 months – stop resellers before they start.

Microsoft Teams Guest Access Loophole Lets Attackers Bypass Defender Protections

A newly documented security gap in Microsoft Teams’ B2B Guest Access model allows attackers to bypass Microsoft Defender for Office 365 protections entirely. Security researchers at Ontinue have demonstrated that once an employee accepts a Teams guest invitation from an external tenant, their home organization’s defenses—including Safe Links and Zero-hour Auto Purge—no longer apply. Threat actors are abusing this design flaw to deliver phishing links, malware, and social engineering campaigns from what appears to be a legitimate Teams environment.

Context

Microsoft Teams is used globally as the backbone of business communication. Organizations invest heavily in security layers, such as Microsoft Defender for Office 365, to block malicious files, URLs, and phishing attempts.

However, collaboration between companies relies on a cross-tenant model called B2B Guest Access. In this model, employees often join external Teams workspaces for projects, contracts, or shared workflows. Ontinue’s new research highlights that this widely used mechanism contains an architectural blind spot.

What Happened

Ontinue discovered that when an employee joins another organization’s Teams tenant as a guest, their home organization’s protections instantly stop applying. Instead, security settings are dictated entirely by the hosting environment—which may have minimal or no security controls at all.

Attackers are exploiting this by:

  • Creating low-cost or trial Microsoft 365 tenants

  • Turning off all security policies

  • Sending Teams guest invitations to employees

  • Delivering malicious links or files inside the unprotected tenant

The release of Microsoft’s November 2025 feature (MC1182004), which enables messaging with any email address by default, has dramatically increased the attack surface.

Technical Breakdown

Key weaknesses enabling the bypass:

  • Security inheritance shifts to the hosting tenant:
    Safe Links, Safe Attachments, ZAP, and other Defender capabilities stop protecting the user.

  • Default-open policies:
    Most organizations allow guest access from any external domain.

  • New Teams messaging expansion:
    Attackers can invite employees with a single click using a legitimate Microsoft invitation flow.

  • Low barrier to entry:
    Creating a malicious tenant requires only a basic subscription or free trial.

Impact:

Inside the attacker-controlled tenant, adversaries can:

  • Deliver phishing URLs without Safe Links scanning

  • Send malware without Defender filtering

  • Exfiltrate data or conduct social engineering

  • Masquerade as trusted contacts

  • Pivot based on contextual information shared in Teams channels

Impact Analysis

This weakness has broad implications because:

  • Teams is deeply integrated into day-to-day workflows

  • Users trust the familiar Teams interface

  • Security teams mistakenly assume Defender protections follow users across tenants

  • Attackers can scale this method cheaply and globally

Organizations with widespread external collaborations are at highest risk.

Why It Matters

This is not a software bug—it is a design-level security gap. The trust boundary shifts invisibly from the employee’s organization to the attacker’s environment the instant a guest invitation is accepted.

This makes social engineering dramatically easier and allows attackers to bypass enterprise-grade security tools using nothing more than default Teams features.

Expert Commentary

Shane Barney, CISO, Keeper Security

“The familiar interface gives the impression that security remains consistent, but safeguards depend entirely on the hosting tenant.”

Julian Brownlow Davies, SVP Offensive Security, Bugcrowd

“The moment users cross into someone else’s tenant, their Defender protections vanish.”

Agnidipta Sarkar, Chief Evangelist, ColorTokens

“Until Microsoft addresses this issue, organizations must proactively block unknown B2B Teams meetings and enforce domain restrictions.”

Key Takeaways

  • Guest Access in Teams bypasses Microsoft Defender protections

  • Attackers can weaponize low-cost Microsoft tenants for phishing and malware delivery

  • New Teams features increase the ease of exploitation

  • Organizations must immediately restrict guest access to trusted domains

  • Security awareness training must include cross-tenant risks

  • Defender hardening does not protect users outside their home tenant

Keep Reading

No posts found

© 2025 The Cyber Syrup..

Privacy policy

Terms of use

Powered by beehiiv