- Pro
- Security
New feature, new worries
Comments (0) ()When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Shutterstock / monticello)
- Microsoft Teams guest chat feature creates unprotected attack vector for malware and phishing
- Guests rely on host’s security, enabling malicious actors to bypass usual protections
- Businesses advised to restrict external invites, disable chats, and train staff on phishing risks
A new feature recently added to Microsoft Teams has also introduced a “fundamental architectural gap” - a vulnerability that could be exploited to drop malware, share phishing links and more - all without triggering the usual security alarms, experts have warned.
Cybersecurity researchers Ontinue found the guest access feature in Microsoft Teams creates an unprotected attack vector.
- Amazon Black Friday deals are live: here are our picks!
The feature lets any Teams user start a new chat with anyone, just by their email address, meaning even if the recipient doesn’t use Teams, they can get an invite via email and join the chat as a guest. By default, this feature is enabled for eligible licenses (SMB licenses such as Teams Essentials, Business Basic, Business Standard, etc.).
You may like-
Microsoft Teams really could be bad for your (security) health - hackers spoof bosses, send fake messages, and more
-
Watch out - this fake Microsoft Teams app is actually dangerous malware, here's how to stay protected
-
Microsoft Teams will now judge if that mysterious link you received is malicious or just another meeting invite
Bypassing security protocols
However, when someone joins another person’s Teams environment as a guest, they are not bringing their own security protocols - they are protected with whatever security protocols their host has.
So, if the host is malicious and has no security protocols, they could share malicious files with the guests without triggering any alarms. And since the communication is happening outside the victim’s own environment, they won’t be notified of any risks that way, too.
In theory, a threat actor could impersonate someone, invite the victim for a Teams chat, and have them open a phishing link, or download malware. Since the invitation is sent by Microsoft’s own infrastructure, and the actual chat happens in Teams, the victim might lower their guard.
At the moment, Microsoft is keeping quiet about it and is yet to answer to media inquiries.
Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.In the meantime, businesses are advised to limit external Teams invitations to trusted domains only, and control cross-tenant access.
Furthermore, they could disable external chats and should educate their employees about phishing attacks and unsolicited messages - regardless of the platform they’re coming from.
Via The Hacker News
The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Sead FadilpašićSocial Links NavigationSead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Logout Read more
Microsoft Teams really could be bad for your (security) health - hackers spoof bosses, send fake messages, and more
Watch out - this fake Microsoft Teams app is actually dangerous malware, here's how to stay protected
Microsoft Teams will now judge if that mysterious link you received is malicious or just another meeting invite
Look out - these fake Microsoft Teams installers are just spreading dangerous malware
Experts warn Microsoft Copilot Studio agents are being hijacked to steal OAuth tokens
Hackers are using fake Zoom or Microsoft Teams invites to spy on all your workplace activity
Latest in Security
Multiple London councils affected by apparent cyberattack
Zendesk users targeted by Scattered Lapsus$ Hunters hackers and fake support sites
Malicious Blender model files deliver StealC infostealing malware
Popular JavaScript library can be hacked to allow attackers into user accounts
Maybe don't trust every Windows Update without checking - hackers hijack images to spread dangerous malware
This devious botnet tried a trial run during the recent AWS outage - so when will it be back?
Latest in News
Premier League Black Friday deal: Get 50% Off Walmart+ and watch 2025-26 EPL season on Peacock
New Supergirl tease drops a big hint that a trailer for the DC comic book movie could be released very soon
If Nvidia VRAM rumor is true it'd be bad news for some graphics card makers
Meta is kicking ChatGPT and Copilot out of WhatsApp
Microsoft Teams guest access could let hackers bypass some critical security protections
Europe tops the charts in digital security – but the UK might be quickly falling behind, says Surfshark
LATEST ARTICLES- 1Microsoft Teams guest access could let hackers bypass some critical security protections
- 2New Supergirl tease drops a big hint that a trailer for the DC comic book movie could be released very soon
- 3If Nvidia VRAM rumor is true it'd be bad news for some graphics card makers
- 4Meta is kicking ChatGPT and Copilot out of WhatsApp
- 5Zendesk users targeted by Scattered Lapsus$ Hunters hackers and fake support sites
