A newly highlighted flaw in Microsoft’s cross-tenant collaboration model shows that once a user accepts a guest invitation in Teams, their Defender for Office 365 protections are dropped entirely, leaving them exposed inside an external tenant even while logged in with their home account.
According to Ontinue threat researcher Rhys Downing, one of Microsoft’s recently enabled features, “MC1182004,” that allows Teams users to initiate chats with any email address, opens an attack vector for threat actors who know cross-tenant security limitations.
“Many organizations assume their controls ‘follow’ the user wherever they go,” said Julian Brownlow Davies, senior vice president, offensive security strategy & operations at Bugcrowd. “In reality, attackers can spin up a poorly secured tenant, invite your users in with what looks like a perfectly legitimate Microsoft Teams email, and deliver links and files that never touch your own Defender stack at all.”
