Microsoft Teams Guest Access Bypasses Defender Protections in Cross-Tenant Scenarios

MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants

Cybersecurity researchers identified a vulnerability where Microsoft Teams guest access allows users to bypass Microsoft Defender for Office 365 protections when joining external tenants. Attackers can exploit this by luring users into malicious tenants with no built-in safeguards.

Why This Matters

The technical reality is that Microsoft Defender protections apply only to the tenant where the user’s account resides, not the external tenant hosting the conversation. This creates a “fundamental architectural gap” where users become unprotected guests in environments controlled by attackers. The scale of risk is significant: malicious actors can deploy low-cost Microsoft 365 tenants (e.g., Teams Essentials) lacking Defender by default, enabling phishing and malware distribution without triggering security alerts.

Key Insights

• “Guest users inherit the security policies of the hosting tenant, not their home organization,” per Ontinue researcher Rhys Downing (2025 report).
• Attackers can spin up malicious tenants using licenses like Teams Essentials, which lack Microsoft Defender for Office 365 out-of-the-box.
• Email invitations from Microsoft’s infrastructure bypass SPF, DKIM, and DMARC checks, making phishing emails appear legitimate.

Practical Applications

• Use Case: Attackers use low-cost Microsoft 365 tenants to host phishing campaigns, exploiting guest access to distribute malware.
• Pitfall: Organizations failing to restrict B2B collaboration settings risk users accepting invitations from untrusted domains, leading to data exfiltration or lateral movement.

References:

• https://thehackernews.com/2025/11/ms-teams-guest-access-can-remove.html