Ontinue security researchers have discovered a “cross-tenant blind spot” in Microsoft Teams that allows attackers to bypass Microsoft Defender for Office 365 protections using the guest access feature.
The problem is that when a user operates as a guest in an external tenant, their security protections are determined entirely by the hosting environment, and not by the security policies of their home organization. This fundamental architectural gap opens the door to attack scenarios where users become unprotected guests in a malicious environment controlled by the attacker.
The New Collaboration Context in Teams
The finding comes as Microsoft is rolling out a new feature in Teams that allows users to chat with anyone via email, even if they don’t use the business platform. This feature, expected to be globally available by January 2026, simplifies external collaboration by sending automatic email invitations to join a chat session as a guest.
Although the new feature is enabled by default, organizations can disable it by using the TeamsMessagingPolicy policy and setting the UseB2BInvitesToAddExternalUsers parameter to false. However, this setting only prevents users from sending invitations, it does not prevent them from receiving invitations from external tenants.
The Attack Scenario: “Protection Free Zones”
Ontinue researchers describe a hypothetical attack scenario that exploits this blind spot:
- Attacker Preparation: A threat actor creates a malicious Microsoft 365 tenant. It uses a low-cost license, such as Teams Essentials or Business Basic, which does not include Microsoft Defender for Office 365 by default. This creates a “protection-free zone” where no security scans are applied.
- Sending a Malicious Invitation: The attacker performs reconnaissance on the target and then starts a Teams chat with the victim’s email address. Teams automatically sends an invitation to the victim’s email to join the chat as a guest.
- Bypass Email Defenses: Since the invitation message originates from Microsoft infrastructure, the email effectively bypasses the victim organization’s SPF, DKIM, and DMARC checks. This makes email security solutions unlikely to flag the message as malicious.
- Attack Execution: If the victim accepts the invitation, they gain guest access to the attacker’s tenant. In this unprotected environment, the threat actor can send phishing links or attachments loaded with malware, taking advantage of the lack of Safe Links and Safe Attachments scans.
The main concern is that the victim organization remains completely unaware of the situation, as the attack occurs outside its security perimeter. Your security controls are never activated because the conversation is hosted in the attacker’s tenant.
Mitigation Recommendations
To protect against this line of attack, organizations are recommended to take the following measures:
- Restrict B2B Collaboration: Configure B2B collaboration to allow guest invitations only from trusted domains.
- Cross-Tenant Access Controls: Implement cross-tenant access controls to manage how users interact with external environments.
- Restrict External Communication: Limit external Teams communication if it is not strictly necessary for the organization’s operations.
- User Awareness: Train users to be aware of unsolicited Teams invitations from external sources.
Conclusion
Ontinue’s research highlights the need to reevaluate security policies in cloud collaboration environments. As platforms like Teams make external interaction easier, organizations should implement strict cross-tenant access controls to mitigate the risks associated with security blind spots that arise when operating in third-party environments.