Microsoft is poised to roll out a significant update to Teams, enabling users to initiate chats with anyone using just an email address—even if the recipient isn’t a Teams user.
While the feature, launching in targeted releases by early November 2025 and globally by January 2026, promises expanded connectivity across Android, desktop, iOS, Linux, and Mac platforms, security experts are voicing serious concerns about the security risks introduced by this change.
The driving force behind this update is flexibility: organizations can effortlessly communicate with external contacts and partners, enhancing productivity in hybrid work settings.
Guests receive an invite via email and join the conversation as external users, all governed under Microsoft Entra B2B Guest policies.
This default-enabled feature breaks longstanding barriers to communication, reflecting Microsoft’s intent to streamline cross-company collaboration.
However, this same broad accessibility substantially enlarges the attack surface for organizations.
By permitting chats with any external email address—without prior validation or vetting—the new feature becomes susceptible to abuse by malicious actors.
Phishing campaigns are the prime threat: attackers can easily craft legitimate-looking “chat request” invites, deceiving recipients into clicking on malicious links or revealing sensitive information.
The potential for social engineering attacks skyrockets. A cybercriminal impersonating a known business partner or client could entice an employee to share credentials or confidential information—all under the guise of a Teams chat.
Security researchers point out that this attack vector closely mirrors tactics observed in OAuth phishing campaigns, where adversaries successfully spoof trusted services to harvest data and escalate privileges.
Field experts also note that, though external guests remain confined within the organization’s Teams boundary, the risk of inadvertent data exposure is significant.
Employees might unknowingly leak proprietary or regulated information—such as intellectual property or data protected under GDPR compliance—if duped by a sophisticated impersonator.
Another major security worry involves the distribution of malware. Files exchanged inside Teams aren’t always filtered by traditional email security measures.
Attackers exploiting the guest feature can directly disseminate infected documents or links, introducing ransomware or spyware into organizational chats.
With Teams acting as the attack vehicle, organizations may face a higher risk of undetected malware entry and lateral movement within their networks.
Microsoft acknowledges the significant impact of this feature, urging administrators to update internal documentation and support processes for the change.
Nevertheless, the default activation might cause some organizations to miss crucial adjustments—potentially echoing oversights like those seen in the SolarWinds breach, where default settings contributed to widespread compromise.
To maintain control, Teams admins can turn off this external chat option using PowerShell by setting the UseB2BInvitesToAddExternalUsers attribute in TeamsMessagingPolicy to false—relocking the digital doors and restricting access to vetted B2B connections.
Experts further advise enforcing multi-factor authentication, conducting regular policy reviews, and supplementing with targeted user awareness training to strengthen defenses against phishing attacks.
As Microsoft Teams expands its communication capabilities, the importance of proactive security cannot be understated.
While enabling seamless collaboration is crucial in modern enterprises, vigilance is required to ensure that convenience does not equate to vulnerability.
Organizations must adapt swiftly, deploying robust policies and user education to prevent this new feature from becoming the next gateway for cybercriminal exploits.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
