Critical Microsoft Teams Flaw Puts Millions of Corporate Users at Risk

Microsoft Teams has rapidly evolved into one of the world’s most widely used business communication platforms, driving companies to invest heavily in Microsoft Defender for Office 365 and other defensive tools. These protections are designed to guard against phishing attempts, malware delivery, and unsafe links shared internally. Yet, new research from cybersecurity firm Ontinue shows that a major vulnerability lies not in what happens within an organization’s own Teams environment, but in what happens the moment collaboration extends outside of it. At the core of the issue is Microsoft Teams’ B2B Guest Access feature, which allows employees to join other organizations’ chats and channels. According to Ontinue, the security controls that protect users inside their own network do not follow them into external tenants. Once an employee accepts a guest invitation, their home security safeguards—such as Safe Links, which scans URLs for threats, and Zero-hour Auto Purge, which removes malicious content retroactively—stop protecting them. This places the user at the mercy of whatever security controls exist in the hosting organization.
This is where attackers have found a gap to exploit. Ontinue’s research explains that adversaries can create their own Microsoft 365 environment using a basic subscription or even a free trial. These low-cost tenants typically lack advanced protections like Microsoft Defender, leaving them intentionally unprotected by default. This creates an ideal trap: a “protection-free zone” where attackers can send malware or phishing links without being detected or blocked by the victim’s usual defenses. The risk has intensified due to a new Teams update (MC1182004), rolled out in November 2025, which enables users to start chats with any email address—even those outside of Microsoft Teams. Because this feature is enabled by default for many organizations, victims receive authentic Microsoft invitations that require only a single click to join an unsafe tenant. Combined with widespread default settings that allow guest invites from virtually any organization, attackers now have a simple and scalable path to infiltrate targets.
Cybersecurity leaders warn that this is not a flaw that can be fixed with a software patch, but rather a structural problem that requires policy change. Industry experts, including Keeper Security’s CISO Shane Barney, emphasize that the familiar Teams interface gives users a false sense of continuity. Employees often assume they remain protected when switching environments, without realizing their security posture changes instantly based on the host’s settings. As a result, experts are urging organizations to tighten their configurations immediately. Recommendations include restricting guest access to only trusted domains, monitoring outside collaboration carefully, and disabling B2B meetings from unknown or unverified sources. Until Microsoft develops a more unified security approach for cross-tenant collaboration, companies must take the lead in protecting users from malicious environments disguised as legitimate business interactions.