Microsoft’s upcoming Teams update, set for targeted releases in early November 2025 and worldwide by January 2026, will allow users to initiate chats with only an email address, even if the recipient isn’t a Teams user. This feature raises security concerns among experts.
The invitee joins as a guest via email, enabling seamless external communication across Android, desktop, iOS, Linux, and Mac. While aimed at flexible work, this default-enabled feature widens the door for phishing scams and malware infiltration, potentially leaking sensitive data in the process.
The core issue lies in the feature’s broad accessibility. By allowing chats with external email addresses without prior validation, Teams creates an enlarged attack vector.
Phishing actors could spoof legitimate invites, tricking users into clicking malicious links or sharing credentials. For instance, a fake “chat request” from a supposed business partner might embed malware payloads, exploiting the guest join process to deliver ransomware or spyware directly into organizational chats.
Security researchers warn that this mirrors tactics seen in OAuth phishing campaigns, where attackers impersonate trusted services to harvest data.
With chats governed by Entra B2B Guest policies but still confined to the organization’s boundary, the risk of inadvertent data exposure grows.
Microsoft Teams’ New “Chat with Anyone” Feature
Employees might unknowingly disclose proprietary information to impostors, leading to intellectual property theft or compliance violations under regulations such as GDPR.
In practice, this could amplify threats in hybrid work environments. Consider a sales team chatting with a “prospective client” via email invite; if the contact is compromised, attackers gain a foothold to eavesdrop or escalate privileges.
Malware distribution becomes simpler, too, as guests could inadvertently forward infected files, bypassing traditional email filters, since interactions occur within Teams’ ecosystem.
Microsoft acknowledges the change affects all users and urges organizations to update documentation and train support teams. However, the default activation means many firms could overlook it until incidents occur, echoing past oversights like the SolarWinds breach, where unpatched features fueled widespread compromise.
Admins aren’t powerless. To disable the feature, they can use PowerShell to set the UseB2BInvitesToAddExternalUsers attribute in TeamsMessagingPolicy to false, effectively blocking external email-based chats.
This simple tweak restores tighter controls, limiting invites to verified B2B connections. Experts recommend combining it with multi-factor authentication enforcement, regular policy audits, and user awareness training to counter phishing attempts.
As Teams evolves, balancing innovation with security remains crucial. This rollout underscores the need for proactive defense in collaborative tools, lest convenience become a cybercriminal’s gateway.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
