Mitigations include vetting collaborations: Jason Soroko, senior fellow at Sectigo, warns that this is not a mere “bypass bug,” but a blind spot in many organizations’ mental model of cross-tenant risk. “Security teams should respond by treating external guest access as a trust boundary that needs explicit governance rather than a convenience feature that can stay on by default,” he said.Restricting B2B guest invitation to a vetted allow-list of trusted partner domains, and implementing cross-tenant access policies in Microsoft Entra ID to block suspicious guest-tenant access was recommended by Downing to stay ahead of this inherent threat.Another key mitigation includes disabling the default “chat with Anyone” feature in Teams, which allows unsolicited external invitations to reach users. This is a practical step for many organizations that can simply do so through the Teams admin center by tightening external policies. Together with the Entra ID warning from September, the disclosure underscores that a real danger sits in the gaps across Microsoft tenants, where convenience defaults and misplaced trust continue to outpace security.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4097381/microsoft-teams-guest-chat-feature-exposes-cross-tenant-blind-spot.html
