Microsoft’s latest Teams update, rolling out in targeted releases in November 2025 and expected worldwide by January 2026, introduces a powerful yet controversial feature: users can now initiate chats using only an email address, even if the recipient isn’t a Teams user.
While this aims to simplify collaboration, cybersecurity experts warn it could open a major new attack vector for phishing and malware.
What’s Changing in Microsoft Teams
The update allows users to start conversations with external participants through an email invitation, letting non-Teams users join chats as guests. This functionality works across Windows, Mac, iOS, Android, and Linux, promoting seamless communication across devices and platforms.
However, the feature will be enabled by default, which means many organizations might not realize it’s active—potentially expanding their attack surface dramatically.
The Security Risks Behind the Update
The main concern lies in the feature’s broad accessibility. Since Teams will now accept chat initiations from unverified external emails, attackers can easily exploit the system.
Cybercriminals could send spoofed chat invites impersonating trusted business partners. These fake invitations might contain malicious links or payloads, leading to credential theft, ransomware infections, or spyware deployment inside Teams environments.
A Realistic Attack Scenario
Imagine a sales representative receiving what looks like a chat invite from a prospective client. Clicking the link opens what appears to be a normal Teams conversation—but it’s actually a phishing trap, granting attackers access to internal discussions or sensitive files.
Researchers have even compared this to OAuth phishing attacks, where fake service permissions are used to harvest login credentials and corporate data.
Data Exposure and Compliance Risks
Microsoft claims that guest chats remain governed by Entra B2B Guest policies, but experts highlight that data leakage remains a real risk. Employees might unintentionally share confidential or regulated data with impostors, leading to:
- Intellectual property theft
- GDPR violations
- Compliance breaches
In hybrid and remote work environments, these risks multiply—especially when employees frequently collaborate with external vendors or clients.
Malware Distribution Through Teams
Because guest users can share files within Teams, a single infected document could bypass traditional email filters and endpoint defenses, spreading malware organization-wide before detection.
Mitigation and Protection Steps
Microsoft has acknowledged the security implications, urging administrators to update policies and user training materials. However, since the feature is on by default, proactive configuration is crucial.
How to Disable Email-Based Chat Invites
Admins can disable the feature using PowerShell:
Set-CsTeamsMessagingPolicy -Identity Global -UseB2BInvitesToAddExternalUsers $false
This action blocks external email-based chat initiations, restoring stricter access control.
Best Practices to Stay Secure
Cybersecurity experts recommend a layered defense strategy:
- Disable the new email-chat feature if not needed.
- Enable Multi-Factor Authentication (MFA) for all users.
- Conduct regular policy audits to ensure Teams configurations align with security best practices.
- Train employees to identify phishing and social engineering attempts.
Balancing Innovation and Security
Microsoft’s new Teams functionality reflects a broader trend in collaboration tools—pushing for flexibility and openness. Yet, this update underscores a hard truth: convenience features can become gateways for cyberattacks if security isn’t prioritized.
For organizations using Microsoft Teams, now is the time to review settings, reinforce security awareness, and tighten guest access controls—before attackers exploit this new capability.
