Microsoft Teams Guest Chat Vulnerability

02 Dec 2025

Microsoft Teams Guest Chat Vulnerability

Situation

Microsoft 365 uses a concept called “cross-tenant collaboration” for sharing resources like Teams chats, files, and documents between different organizations. This allows external users (guests) to be invited into a company’s Teams environment for collaboration. When one organization invites another to collaborate (for example, a client, partner, or third-party service provider), the user from the external organization is added as a guest in Microsoft Teams. However, when that user is added as a guest, they are operating within the security boundary of the inviting (external) organization, not their original organization’s security settings. A recent update enabled this functionality more broadly by default. Security researchers discovered that when a user accepts a guest-chat invitation, Teams switches them into the external tenant’s security boundary, meaning the user no longer benefits from their own organization’s security protections (e.g., Defender for Office 365, Safe Links, Safe Attachments, phishing checks, etc.). This architectural trust shift creates a security blind spot in which attackers can host a malicious tenant and interact with users without the usual Microsoft-365 protection stack.

Problem

The issue arises because once the external user accepts the invite, they’re now in a guest context controlled by the external organization’s tenant (the one who invited them), not their home organization’s tenant.
In simpler terms:

  • Before accepting the invitation, the guest user was protected by their home organization’s security rules.
  • After accepting the invite, the guest user is now operating under the security controls (or lack thereof) of the external tenant.

What attackers can do
Attackers can abuse this by setting up their own Microsoft 365 tenant and sending legitimate-looking guest invitations to potential targets. Here’s how: Step-by-Step Process:
  1. Create an Attacker Tenant:
    • The attacker sets up a new Microsoft 365 tenant using an inexpensive or even free Microsoft subscription. They don’t need to be an existing corporate entity to create this tenant.
  2. Send Guest Invitations:
    • The attacker invites target users (from any organization) to join a Teams chat. These could be high-level employees, contractors, or anyone with access to valuable information.
  3. User Accepts the Invitation:
    • The target user receives the invitation and accepts it, joining the attacker’s tenant (whether they know it or not). This action places the user inside the attacker’s “security bubble.”
  4. User is Now Operating Inside the Attacker’s Tenant Security Context:
    • Critical point: At this stage, the user leaves their home organization’s security perimeter and enters the external organization’s security context. Since the attacker controls the external tenant, they can configure the environment as they wish (which may mean no security controls).
  5. Bypassing Home Organization’s Security:
    • Since the external tenant (the attacker’s tenant) doesn’t have to comply with the target’s security policies, the user no longer benefits from:
      • Safe Links: Links inside Teams chats (even malicious ones) are not scanned for malicious URLs.
      • Safe Attachments: Malicious files shared within Teams are not automatically scanned for malware.
      • Advanced Anti-Phishing: Fake or impersonated messages from the attacker’s tenant won’t trigger anti-phishing protections in the target’s environment.
      • Zero-Hour Auto Purge (ZAP): If a malicious attachment or link gets through, it won’t be automatically removed by security systems.
      • Data Loss Prevention (DLP) Policies: No data loss prevention mechanisms are in place to stop sensitive information from being shared outside the organization.

Risk

The vulnerability in Microsoft Teams’ guest chat feature introduces several high-risk attack paths that attackers can exploit. These attack vectors primarily take advantage of the fact that once a user accepts a guest chat invitation from an external tenant, the user’s security context switches to that external tenant. This switch allows attackers to bypass many of the security protections typically applied to users within their own organization.

1. Phishing / Social Engineering
Once a user accepts a guest chat invitation from an attacker-controlled tenant, the chat messages appear legitimate because they are delivered through Microsoft Teams’ infrastructure, which is inherently trusted by most users. The attacker can then send malicious links or phishing pages that appear credible and safe. Since these links come from a genuine Teams chat, they are not scanned by the usual security tools like Safe Links, which would normally block or flag malicious URLs. As a result, the user may unknowingly click on a link that leads to a credential-harvesting page or other malicious content. This makes the attack easier to carry out, as users are likely to trust the communication, believing it to be coming from a trusted platform.

2. Malware Delivery
Another serious risk is the delivery of malware. When the user accepts the guest invite and interacts with the attacker’s tenant, any files shared within that chat will bypass Microsoft’s Safe Attachments and malware scanning tools. This gives attackers the ability to deliver a wide range of malicious payloads, such as ransomware, credential-stealing malware, Remote Access Trojans (RATs) or initial access loaders. These types of malware are designed to compromise the user’s endpoint and can give the attacker full control over the affected system.

3. Account Compromise
If a user enters their credentials into a phishing page sent through the compromised guest chat, attackers can gain access to a variety of sensitive resources within the user’s Microsoft 365 environment. This can include access to their email inbox, OneDrive and SharePoint data, as well as Teams chats and files. The attackers may then be able to use these credentials to escalate their access to other systems. If multi-factor authentication (MFA) is enabled for the target account, attackers may still manage to bypass it through techniques like MFA fatigue (repeated MFA requests until the user approves one out of frustration or mistake) or social engineering to trick the user into approving the MFA prompt. This increases the risk of full account compromise, allowing attackers to access sensitive data and systems that would otherwise be protected by MFA.

4. Lateral Movement
Once an attacker has compromised a user’s account or endpoint, they can attempt to move laterally within the organization’s network. This means that the attacker may try to access other systems, network shares or accounts that are trusted by the compromised user. The attacker could then escalate their privileges, potentially gaining access to privileged accounts (e.g., administrator accounts) and deploying additional malware to propagate through the organization’s infrastructure. They may also attempt to exfiltrate sensitive data, which could include proprietary information, customer data or intellectual property. This type of lateral movement is a key part of many modern attacks, especially in cases of ransomware or Advanced Persistent Threats (APTs).

5. Supply-Chain / Vendor Pivot Attacks
Since Microsoft Teams is widely used for inter-company collaboration, an attack on one organization through this vulnerability could have far-reaching consequences. If the attacker successfully compromises a user within one organization, they may use that access to launch impersonation attacks against the organization’s partners, vendors, or clients. For example, the attacker could pose as a trusted employee to request sensitive data or initiate fraudulent transactions. This creates a multi-organization breach chain, where the compromise of a single organization can lead to a broader supply chain attack. Attackers can pivot from one compromised organization to the next, escalating their access and causing widespread disruption across multiple entities.

Mitigation/Prevention

  1. Disable “Chat with External Users / Chat with Anyone” unless explicitly required.
  2. Restrict Guest Access by tenant allow-list (approved partners only).
  3. Block unknown or high-risk domains from initiating guest invitations.
  4. Set Conditional Access to require (Multi Factor Authentication) MFA for any external tenant access.
  5. User Awareness Training
    • Do not accept unknown guest invitations.
    • Verify external invitations via secondary channels, such as e-mail, messenger apps or a call.
  6. Monitor audit logs for:
    • Guest-invite events
    • External file sharing
    • Suspicious login attempts
  7. Enable Endpoint Detection & Response (EDR) to detect malware dropped via Teams chats.
  8. Implement Identity-Threat Detection & Response (ITDR) to detect unusual identity/tenant switching.
  9. Review and reduce Teams External Access policies across all departments.

Indicator’s of Compromise (IOC’s)

Below are generic IOC’s associated with attacks abusing external guest-chat features. (Actual indicators will vary depending on attacker tools and malware used.)
Suspicious Teams Activity

  • Unsolicited guest invitations from unfamiliar or generic tenants (e.g., -consulting, -solutions).
  • Rapid switching between internal tenant and external tenants in logs.
  • Users reporting unexpected chats or file shares from unknown organizations.
Malicious File Indicators
  • Files shared via Teams with extensions: .iso, .zip, .js, .lnk, .hta, .exe.
  • Files with names like:
    • “invoice_2025.zip”
    • “contract_update.pdf.exe”
    • “security_patch.hta”
Suspicious URLS
Malicious Teams-delivered phishing campaigns often include URLs containing:
  • auth-verify, microsoft-login, secure-session, office365-validation
  • Domains using:
    • Newly registered domains (NRDs) –Free hosting platforms
    • Obfuscated characters (punycode)
Examples of suspicious patterns (not actual domains):
  • https://microsoft-secure-auth[.]com/login
  • https://teams-validation[.]cloud/verify
  • https://office365-auth-center[.]net

Host & Network Indicators
  • Execution of files from the Teams Downloads folder (%USERPROFILE%\Downloads or %USERPROFILE%\AppData\Local\Microsoft\Teams\)
  • Unexpected connections in the logs to:
    • Countries unusual for your organization’s business
    • VPN/proxy networks known for malware C2
  • EDR alerts:
    • Suspicious PowerShell spawned by Teams
    • Credential theft attempts (LSASS access)
    • Persistence mechanisms added shortly after Teams file execution
Identity-related IOC’s
  • MFA fatigue push notifications
  • Login attempts from attacker tenant IDs
  • Unexpected OAuth grant consents / unfamiliar app registrations

Links
https://www.ontinue.com/resource/blog-microsoft-chat-with-anyone-understanding-phishing-risk/
Download Daily NDR lists
https://www.iqwhois.com/newly-registered-domains
https://www.whoisds.com/
Learn about Punycode
https://www.punycoder.com/punycode/
Note: this component is only available for the blocks: platinum