A newly uncovered issue in Microsoft Teams shows that users lose all Defender for Office 365 protections once they accept a guest invitation, leaving them exposed inside another organization’s tenant.
Threat researcher Rhys Downing revealed that Microsoft’s new feature, MC1182004 allowing Teams users to chat with any email address creates an opportunity for attackers who understand cross-tenant security gaps.
Julian Brownlow Davies of Bugcrowd warned that attackers can set up a weak Microsoft 365 tenant, send a legitimate-looking Teams invite, and deliver malicious links or files that bypass the victim’s Defender safeguards.
Read also: LawPavilion Launches New AI Tool For Nigerian Judges
Downing explained that this is not a bug but a design limitation: in cross-tenant collaboration, the host tenant’s security settings override those of the user’s home tenant. If the host lacks protections like safe links, URL scanning or sandboxing, the guest user also loses them.
Microsoft has not yet responded to inquiries.
Security experts say the issue highlights the need for organizations to treat external guest access as a high-risk trust boundary requiring stricter governance and monitoring.
