- Microsoft Teams guest chat feature creates an unprotected attack vector for malware and phishing
- Guests rely on the host’s security, allowing malicious actors to bypass typical protections.
- Companies are advised to restrict external invitations, disable chats, and train staff on phishing risks.
A new feature recently added to Microsoft Teams also introduced a “fundamental architectural gap,” a vulnerability that could be exploited to remove malware, share phishing links and more, all without triggering the usual security alarms, experts warned.
Cybersecurity researchers Ontinue discovered that the guest access feature in Microsoft Teams creates an unprotected attack vector.
The feature allows any Teams user to start a new chat with anyone, simply with their email address, meaning that even if the recipient doesn’t use Teams, they can receive an email invitation and join the chat as a guest. By default, this feature is enabled for eligible licenses (SMB licenses such as Teams Essentials, Business Basic, Business Standard, etc.).
Bypassing security protocols
However, when someone joins another person’s Teams environment as a guest, they don’t bring their own security protocols—they’re protected with whatever security protocols their host has.
So if the host is malicious and has no security protocols, they could share malicious files with guests without raising any alarms. And since the communication occurs outside the victim’s environment, they will not be notified of any risk that way either.
In theory, a threat actor could impersonate someone, invite the victim to a Teams chat, and ask them to open a phishing link or download malware. Since the invitation is sent by Microsoft’s own infrastructure and the actual chat happens in Teams, the victim could let their guard down.
At the moment, Microsoft is silent on the matter and has not yet responded to media queries.
In the meantime, businesses are encouraged to limit external invitations to Teams to only trusted domains and control access between tenants.
Additionally, they could disable external chats and should educate their employees about phishing attacks and unsolicited messages, regardless of the platform they come from.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
