Microsoft’s New Teams Update Raises Security Concerns Over Email-Based Chat Feature

Microsoft is rolling out a new Teams feature that lets users start chats using just an email address — even if the recipient isn’t a Teams user. The update, launching for targeted users in early November 2025 and expected to reach everyone by January 2026, aims to make collaboration easier. But cybersecurity experts warn it could open the door to phishing and malware attacks.

The new capability allows external users to join Teams conversations as guests through email invitations, working across Android, iOS, desktop, Linux, and Mac. While designed for convenience and flexible work, the feature is enabled by default, which security professionals say significantly increases the risk of cyberattacks.

Experts caution that attackers could exploit the feature by sending fake “chat invites” that appear to come from trusted business partners. These could trick employees into clicking malicious links or sharing sensitive information, potentially leading to credential theft, ransomware infections, or data breaches.

“Allowing chat initiations based solely on email addresses without validation creates a large attack surface,” one cybersecurity analyst said. “It’s a perfect setup for phishing campaigns disguised as legitimate business communication.”

Such attacks could also bypass traditional email filters and security systems since the malware or phishing attempt would enter through Teams rather than email. In hybrid workplaces, where communication with external contacts is frequent, the risks are even higher.

Microsoft acknowledged the potential issues, noting that chats will still follow Entra B2B Guest policies and remain within organizational boundaries. However, data exposure remains a concern, especially if employees unknowingly share confidential information with impersonators.

Administrators can disable the new feature through PowerShell by setting the UseB2BInvitesToAddExternalUsers attribute in TeamsMessagingPolicy to “false.” Cybersecurity experts recommend doing so until stronger safeguards are in place.

They also advise companies to use multi-factor authentication, regularly review Teams policies, and train employees to recognize phishing and social engineering attempts.

The update highlights a growing challenge for tech companies: balancing user convenience with robust security. As collaboration tools like Teams evolve, proactive defense measures will be crucial to prevent convenience features from becoming gateways for cybercriminals.