Microsoft’s upcoming Teams update, scheduled for early release in November 2025 and full global rollout by January 2026, introduces a seemingly innocuous capability: users can now initiate chats with anyone via email, even if the recipient isn’t a Teams user.
The move aims to simplify cross-organization communication — enabling guest participation across devices and operating systems, from Android to macOS. Yet cybersecurity analysts caution that this “Chat with Anyone” feature may inadvertently turn Teams into a phishing gateway.
“The feature’s accessibility is also its biggest flaw,” said one security researcher. “It invites anyone — legitimate or malicious — straight into the enterprise chat ecosystem.”
Phishing by Invitation: A Growing Attack Vector
By allowing users to chat with external email addresses without prior validation, Microsoft has effectively expanded the attack surface for phishing and malware campaigns.
Cybercriminals could spoof corporate invitations, sending users fake “chat requests” laced with malicious links or attachments. Once accepted, these could deliver ransomware, spyware, or credential harvesters directly into organizational Teams channels — bypassing traditional email defenses.
Experts warn this mirrors OAuth-style phishing campaigns, where attackers impersonate trusted platforms to gain token-based access to sensitive data. In hybrid work environments, a simple forged chat invite could compromise entire departments.
For example, a marketing executive exchanging files with a “prospective client” via Teams might unknowingly share proprietary documents or click on an infected link — handing intruders a foothold inside the network.
Microsoft’s Balancing Act: Innovation vs. Exposure
While Microsoft insists the feature is governed by Entra B2B Guest policies, these still allow guest users to operate within an organization’s communication boundary. This blurs visibility for administrators and could result in unintentional data leaks or GDPR compliance risks.
In a recent advisory, Microsoft acknowledged that the change “affects all users” and urged IT departments to update internal documentation and security policies. But with the feature enabled by default, many organizations might remain unaware of the added risk until after an incident — echoing past oversights like the SolarWinds supply-chain breach, where misconfigured systems fueled widespread compromise.
“Convenience always comes first in feature rollouts,” said a UK-based cybersecurity analyst. “Security catches up only after the damage is visible.”
Admin Controls and the Road to Safer Collaboration
Administrators can disable the new feature using PowerShell by setting the UseB2BInvitesToAddExternalUsers attribute in TeamsMessagingPolicy to false. This effectively blocks unsolicited external chat invitations, restoring stricter access controls.
Experts recommend combining this with:
Multi-Factor Authentication (MFA) across all Teams accounts.
Regular audits of guest user activity.
User awareness training to recognize phishing lures within collaboration tools.
Ultimately, the controversy reflects a broader industry dilemma — how to balance connectivity with containment in modern workplaces. As digital collaboration platforms become the new corporate perimeter, security lapses can no longer be treated as isolated incidents.
“Teams is no longer just a chat app,” said a senior analyst at a global threat-intelligence firm. “It’s a live environment — and every open door is a potential breach.”
