How to fix your MS Teams security flaw NOW

Happy Friday Last month Microsoft enabled a new feature that allows all Teams users to initiate chats as a guest with any email address, even if they're not using teams. And get this, it's been quietly enabled by default for everyone, even your company's Microsoft 365 account.

So why is this a problem? Because it creates an opportunity for bad guys to smash right into your Microsoft 365 account and disable your defenses by disabling your protection policies. Details on the attack methodology was published last week on the Ontinue cybersecurity research blog, and it's especially worrying considering how many of us use Microsoft Teams.

How criminals can use this flaw to break into your company's Microsoft 365 account:

When one of your staff accepts an invitation to join an outside Teams company chat, your security is no longer determined by your account. Instead, security gets controlled entirely by the outside party. Attackers are exploiting this and as you are reading this thousands of basic Teams accounts with security policies completely switched off are being created, creating the perfect trap for your staff.

Once inside your account, attackers can easily deliver phishing links and malware to your employees without any security warnings appearing. They can also steal sensitive files and conduct large-scale social engineering attacks. All from one simple click by one of your users accepting a Teams invite. Yikes.

The Takeaway

If your company is using Microsoft 365, I recommend you fix this vulnerability immediately. Here's how:

• Restrict B2B Guest Invitations:

  Configure your B2B collaboration settings to only allow guest invitations from trusted domains

  * Go to Microsoft Entra ID → External Identities → External collaboration settings

  * Select “Allow only specific external domains” and create an allowlist

  
  

• Implement Cross-Tenant Access Policies:

  Configure granular inbound/outbound access controls

  * Microsoft Entra ID → External Identities → Cross-tenant access settings

  * Block or restrict B2B collaboration by default

  * Only allow specific trusted organizations

  
  

• Restrict External Teams Communication:

  In Teams Admin Center, limit external access

  * Teams Admin Center → Users → External access

  * Configure to “Allow only specific external domains”

  
  

• User Education:

  Train users to be skeptical of unexpected Teams invitations from external sources. Also train yourself - if there is a company you want to collaborate with via Teams and have them initiate the meeting, you'll need to add them to the whitelist (step 1) and your users will need to notify you as well if they try to do the same.

Cyber criminals don't take days off. That's why we work around the clock to keep you and the community safe.

Stay safe out there.

-Attila

PS. New episode of the CyberSecured Podcast drops next week. Be sure to check it out on whatever Podcast platform you use or on our website: cypac.com/podcast

New Friday Funnies!

Why do comedians love gigs on Microsoft Teams?

No one can throw tomatoes through the screen!

How does NASA set up a conference call?

They planet.

Why couldn't Kimo take his hat off during the Teams call?

Because he had his CAPS LOCK on.

An American, Frenchman, Israeli, Spaniard, and a German are on a video call. Their boss logs in and starts the meeting by asking

"How's my connection, can everybody see me alright?"

They answer: "yes", "oui", "ken", "si", "ja"

Comedy skit on YouTube about video call lag...watch to the end!