- Microsoft Teams guest chat feature creates unprotected attack vector for malware and phishing
- Guests rely on the host’s security, which allows malicious actors to bypass usual protections
- Companies are advised to limit external invitations, disable chats and educate staff on phishing risks
A new feature recently added to Microsoft Teams has also introduced a “fundamental architectural gap” – a vulnerability that could be exploited to drop malware, share phishing links and more – all without triggering the usual security alerts, experts have warned.
Cybersecurity researchers Ontinue found that the guest access feature in Microsoft Teams creates an unprotected attack vector.
The feature lets any Teams user start a new chat with anyone simply by their email address, meaning that even if the recipient doesn’t use Teams, they can receive an invitation via email and join the chat as a guest. By default, this feature is enabled for eligible licenses (SMB licenses such as Teams Essentials, Business Basic, Business Standard, etc.).
Bypassing security protocols
But when someone joins another person’s Teams environment as a guest, they don’t bring their own security protocols—they’re protected by the security protocols their host has.
So if the host is malicious and has no security protocols, they can share malicious files with the guests without triggering any alarms. And since the communication takes place outside the victim’s own environment, they will not be notified of any risks that way either.
In theory, a threat actor could impersonate someone, invite the victim to a Teams chat and get them to open a phishing link or download malware. Since the invitation is sent by Microsoft’s own infrastructure and the chat itself takes place in Teams, the victim can lower their guard.
Currently, Microsoft is keeping quiet about it and has yet to respond to media inquiries.
In the meantime, businesses are advised to limit external Teams invitations to trusted domains only and control access across tenants.
In addition, they could disable external chats and should inform their employees about phishing attacks and unsolicited messages – regardless of the platform they come from.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
