Microsoft Teams has become a staple of corporate communication, prompting companies to invest heavily in tools like Microsoft Defender for Office 365 to protect against phishing, malware, and malicious links.

However, new research from security firm Ontinue reveals a critical flaw in how Teams handles external collaboration through B2B Guest Access. Instead of keeping users protected within their own security environment, guest activity is governed entirely by the hosting organization’s policies.

The problem isn’t a software bug, but an architectural weakness. When employees join another company’s Teams environment as a guest, they immediately lose all of their home security protections, including Safe Links and Zero-hour Auto Purge. Ontinue found that attackers can exploit this by creating their own Teams tenants with no security controls enabled. With even a low-cost or free trial Microsoft 365 account, threat actors can build a “protection-free zone” where malicious files and links can be delivered without detection.

The danger is magnified by a recent Teams feature update that allows users to message any email address by default. A victim who clicks a legitimate-looking Microsoft invitation can enter an unprotected tenant with a single click. Since most organizations still allow unrestricted guest access, attackers can easily launch phishing attacks, deliver malware, and extract sensitive information—without triggering any security alerts.

Experts urge immediate action, stressing that this is a configuration issue, not a patchable flaw. Security leaders recommend restricting guest access to trusted domains only and enforcing strict monitoring of external collaboration. As Keeper Security’s CISO Shane Barney warned, the familiar Teams interface can create a false sense of safety. Until Microsoft addresses the issue, organizations must proactively restrict B2B meetings and enforce policies that prevent users from entering untrusted environments.