Microsoft’s upcoming Teams update, rolling out in targeted releases in early November 2025 and worldwide by January 2026, introduces a feature that lets users initiate chats with only an email address even if recipients aren’t Teams users.
While designed to enhance collaboration, this functionality has triggered significant security concerns among cybersecurity experts who warn it could become a prime vector for phishing campaigns and malware distribution.
The new capability allows external participants to join Teams conversations as guests through email invitations, supporting seamless communication across Android, desktop, iOS, Linux, and Mac platforms.
Although intended to facilitate flexible work arrangements, the feature’s default-enabled status significantly expands the attack surface for malicious actors seeking to infiltrate organizational networks.
The fundamental security risk stems from the feature’s broad accessibility model. By permitting chat initiations with external email addresses without prior validation or verification processes, Teams creates an enlarged attack vector that threat actors can readily exploit.
Phishing attackers could craft convincing spoofed invites masquerading as legitimate business communications, deceiving users into clicking malicious links or divulging sensitive credentials.
A realistic attack scenario involves cybercriminals sending fake “chat requests” that appear to originate from supposed business partners or clients.
These fraudulent invitations could embed malware payloads designed to exploit the guest join mechanism, delivering ransomware or spyware directly into organizational chat environments.
Security researchers have drawn parallels to OAuth phishing campaigns, where attackers impersonate trusted services to harvest credentials and sensitive data.
Data Exposure and Compliance Risks
While Microsoft indicates that chats remain governed by Entra B2B Guest policies and stay within organizational boundaries, the risk of inadvertent data exposure remains substantial.
Employees might unknowingly share proprietary information with impostors posing as legitimate contacts, resulting in intellectual property theft or serious compliance violations under regulations such as GDPR and other data protection frameworks.
The threat amplifies considerably in hybrid work environments where teams frequently communicate with external parties.
Consider a sales department engaging with a “prospective client” through an email-based Teams invite if that contact is compromised or malicious, attackers gain immediate access to eavesdrop on conversations, escalate privileges, or deploy social engineering tactics to extract additional sensitive information.
Additionally, malware distribution becomes significantly easier since guest participants could inadvertently forward infected files within the Teams ecosystem, effectively bypassing traditional email security filters and endpoint protection systems that organizations typically rely upon.
Mitigations
Microsoft acknowledged the security implications, stating that the change affects all users and urging organizations to update internal documentation and train support teams accordingly.
However, the default activation setting means many organizations could overlook this feature until security incidents occur a pattern reminiscent of past oversights like the SolarWinds breach, where unpatched features and misconfigurations fueled widespread compromise.
Fortunately, administrators aren’t without recourse. Organizations can turn off the feature through PowerShell by setting the UseB2BInvitesToAddExternalUsers attribute in TeamsMessagingPolicy to false, effectively blocking external email-based chat initiations and restoring tighter access controls.
Cybersecurity experts strongly recommend implementing a layered defense strategy that includes disabling this feature, enforcing multi-factor authentication across all user accounts, conducting regular policy audits, and deploying comprehensive user awareness training programs specifically targeting phishing recognition and social engineering tactics.
As Microsoft Teams continues evolving its collaboration capabilities, the challenge of balancing innovation with robust security measures remains paramount.
This rollout serves as a critical reminder that proactive defense strategies in collaborative platforms are essential otherwise, convenience features designed to enhance productivity could inadvertently become gateways for cybercriminals to exploit organizational vulnerabilities.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
