""When users operate as guests in another tenant, their protections are determined entirely by that hosting environment, not by their home organization," Ontinue security researcher Rhys Downing said in a report. "These advancements increase collaboration opportunities, but they also widen the responsibility for ensuring those external environments are trustworthy and properly secured.""
"The development comes as Microsoft has begun rolling out a new feature in Teams that allows users to chat with anyone via email, including those who don't use the enterprise communications platform, starting this month. The change is expected to be globally available by January 2026. "The recipient will receive an email invitation to join the chat session as a guest, enabling seamless communication and collaboration," Microsoft said in its announcement. "This update simplifies external engagement and supports flexible work scenarios.""
""The feature is enabled by default, but organizations can turn it off using the TeamsMessagingPolicy by setting the \"UseB2BInvitesToAddExternalUsers\" parameter to \"false.\"" That said, this setting only prevents users from sending invitations to other users. It does not stop them from receiving invitations from external tenants."
A cross-tenant blind spot in Microsoft Teams guest access can allow attackers to bypass Microsoft Defender for Office 365 protections. Protections for a user operating as a guest are determined entirely by the hosting tenant rather than the user's home organization. Microsoft is rolling out a feature enabling chat via email invites, with recipients getting email invitations or in-app external message requests. The feature is enabled by default but organizations can disable sending invitations via the TeamsMessagingPolicy parameter UseB2BInvitesToAddExternalUsers. That disablement prevents sending invites but does not stop users from receiving invitations from external tenants.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]