Microsoft Teams guest access could let hackers bypass some critical security protections

News
By published

New feature, new worries

Microsoft Teams
(Image credit: Shutterstock / monticello)
  • Microsoft Teams guest chat feature creates unprotected attack vector for malware and phishing
  • Guests rely on host’s security, enabling malicious actors to bypass usual protections
  • Businesses advised to restrict external invites, disable chats, and train staff on phishing risks

A new feature recently added to Microsoft Teams has also introduced a “fundamental architectural gap” - a vulnerability that could be exploited to drop malware, share phishing links and more - all without triggering the usual security alarms, experts have warned.

Cybersecurity researchers Ontinue found the guest access feature in Microsoft Teams creates an unprotected attack vector.

The feature lets any Teams user start a new chat with anyone, just by their email address, meaning even if the recipient doesn’t use Teams, they can get an invite via email and join the chat as a guest. By default, this feature is enabled for eligible licenses (SMB licenses such as Teams Essentials, Business Basic, Business Standard, etc.).

Bypassing security protocols

However, when someone joins another person’s Teams environment as a guest, they are not bringing their own security protocols - they are protected with whatever security protocols their host has.

So, if the host is malicious and has no security protocols, they could share malicious files with the guests without triggering any alarms. And since the communication is happening outside the victim’s own environment, they won’t be notified of any risks that way, too.

In theory, a threat actor could impersonate someone, invite the victim for a Teams chat, and have them open a phishing link, or download malware. Since the invitation is sent by Microsoft’s own infrastructure, and the actual chat happens in Teams, the victim might lower their guard.

At the moment, Microsoft is keeping quiet about it and is yet to answer to media inquiries.

In the meantime, businesses are advised to limit external Teams invitations to trusted domains only, and control cross-tenant access.

Furthermore, they could disable external chats and should educate their employees about phishing attacks and unsolicited messages - regardless of the platform they’re coming from.

Via The Hacker News

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.