A newly highlighted flaw in Microsoft’s cross-tenant collaboration model shows that once a user accepts a guest invitation in Teams, their Defender for Office 365 protections are dropped entirely, leaving them exposed inside an external tenant even while logged in with their home account.
According to Ontinue threat researcher Rhys Downing, one of Microsoft’s recently enabled features, “MC1182004,” that allows Teams users to initiate chats with any email address, opens an attack vector for threat actors who know cross-tenant security limitations.
“Many organizations assume their controls ‘follow’ the user wherever they go,” said Julian Brownlow Davies, senior vice president, offensive security strategy & operations at Bugcrowd. “In reality, attackers can spin up a poorly secured tenant, invite your users in with what looks like a perfectly legitimate Microsoft Teams email, and deliver links and files that never touch your own Defender stack at all.”
This means the full suite of Defender protections, including URL scanning, safe links, file sandboxing, and zero-hour auto purge, can simply be disabled, turning a harmless-looking collaboration invite into an attack path.
Microsoft did not immediately respond to CSO’s request for comments.
New default triggers architectural flaw
Downing explained in a blog post that the issue isn’t a software bug in Teams, but an architectural reality of cross-tenant collaboration. When a user joins another tenant as a guest, the hosting (resource) tenant’s security settings apply–not the user’s original (home) tenant.
As a result, all protections provided by Defender for Office 365 are bypassed if the resource tenant has them disabled or never had them in the first place.
Making an attack easier is the default-enabled feature in Teams, MC1182004, that allows users to start a chat with any email address, even if the recipient isn’t yet part of Teams. That means attackers can simply spin up a Microsoft 365 tenant, invite victims via email, and deliver phishing links or malware-all without triggering the victim’s own security stack.
Davies echoed Downing’s argument that this is an architectural consequence of how cross-tenant collaboration works. “At Bugcrowd, we see the same pattern across crowdsourced testing programs, particularly in our Red Team engagements: much of the risk now lives in the connectivity between tenants, identity systems, and collaboration tools, rather than in the individual apps themselves,” he said.
Mitigations include vetting collaborations
Jason Soroko, senior fellow at Sectigo, warns that this is not a mere “bypass bug,” but a blind spot in many organizations’ mental model of cross-tenant risk. “Security teams should respond by treating external guest access as a trust boundary that needs explicit governance rather than a convenience feature that can stay on by default,” he said.
Restricting B2B guest invitation to a vetted allow-list of trusted partner domains, and implementing cross-tenant access policies in Microsoft Entra ID to block suspicious guest-tenant access was recommended by Downing to stay ahead of this inherent threat.
Another key mitigation includes disabling the default “chat with Anyone” feature in Teams, which allows unsolicited external invitations to reach users. This is a practical step for many organizations that can simply do so through the Teams admin center by tightening external policies. Together with the Entra ID warning from September, the disclosure underscores that a real danger sits in the gaps across Microsoft tenants, where convenience defaults and misplaced trust continue to outpace security.
No Responses