Microsoft's upcoming update for Teams, scheduled for targeted release in early November 2025 and worldwide by January 2026, will introduce a feature allowing users to initiate chats using only an email address, even if the recipient is not a registered Teams user. While this aims to improve flexible communication, security experts are concerned that the default enabled functionality will significantly widen the door for phishing scams and malware infiltration.
Increased Attack Vector
The core issue lies in the feature’s broad accessibility. The update allows external email recipients to join a chat as a guest, enabling seamless communication across all platforms (Android, desktop, iOS, Linux, and Mac). By permitting chats with external email addresses without prior validation, Teams creates an enlarged and attractive target for malicious actors.
Phishing actors could easily spoof legitimate invitations, tricking employees into clicking malicious links or sharing credentials. For example, a fake "chat request" from a supposed business partner might embed malware payloads, exploiting the guest join process to deliver ransomware or spyware directly into an organization’s chat threads.
Security researchers warn that this behavioral model mirrors tactics seen in OAuth phishing campaigns, where attackers impersonate trusted services to harvest data. Although these guest chats are governed by Entra B2B Guest policies, the risk of inadvertent data exposure is high. Employees might unknowingly disclose proprietary information to impostors, leading to intellectual property theft or violations of compliance regulations like GDPR.
Risks in Hybrid Environments
In practice, this change could greatly amplify threats in hybrid work environments. If an employee engages with a "prospective client" whose contact is compromised, attackers gain a quick foothold to eavesdrop or escalate privileges within the organization's boundary.
Malware distribution also becomes simpler. Guests could inadvertently forward infected files within the Teams ecosystem, potentially bypassing traditional email security filters.
Microsoft acknowledges that the change affects all users and has urged organizations to update documentation and train support teams. However, the feature's default activation means many firms could overlook it until a major security incident occurs.
Mitigation for Administrators
Admins are not powerless against this new risk. To disable the external email chat functionality, they can use PowerShell to set the UseB2BInvitesToAddExternalUsers attribute in TeamsMessagingPolicy to false. This simple tweak restores tighter controls, limiting invites to verified B2B connections. Experts strongly recommend combining this fix with multi factor
authentication enforcement, regular policy audits, and user awareness training to counter sophisticated phishing attempts. As Teams evolves, balancing innovation with security remains crucial, ensuring convenience does not become a cybercriminal's gateway.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
