A convenient new feature in Microsoft Teams has created a dangerous blind spot for businesses. Cybersecurity researchers at Ontinue warn that the platform’s “guest access” option creates a gap that hackers can exploit to deliver malware or phishing links without triggering standard security alarms.
The issue lies in how Teams handles external users. The feature allows a Teams user to start a chat with anyone simply by entering their email address. If the recipient accepts, they join the chat as a “guest.” Microsoft turns this on by default for many small business licenses.
Here is the trap: When you join another person’s Teams environment as a guest, you leave your own company’s digital perimeter. Your internal security protocols stop monitoring the traffic. Instead, you rely on the security settings of the person who invited you.
This creates a perfect setup for attackers. A hacker can set up a malicious Teams environment with zero security filters. They then invite a victim to chat. Because the email invitation comes directly from Microsoft’s official infrastructure, the victim is likely to trust it. Once the victim joins the chat, the hacker can send malicious files or fake login links. Since the activity happens outside the victim’s corporate network, their company’s firewalls and scanners often miss the threat entirely.
The researchers note that this method bypasses the “red flags” that usually pop up when strangers send dangerous files. To stay safe, experts advise IT administrators to change their settings immediately. Companies should limit external invitations to known, trusted domains or turn off external chats completely if they aren’t necessary. Beyond technical fixes, businesses must train employees to treat unsolicited Teams invites with the same suspicion they apply to random emails. Just because a message appears in a work app doesn’t mean it is safe.
